{{- if eq .Values.TALK_RECORDING_ENABLED "yes" }} apiVersion: apps/v1 kind: Deployment metadata: annotations: kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}" kompose.version: 1.34.0 (cbf2835db) labels: io.kompose.service: nextcloud-aio-talk-recording name: nextcloud-aio-talk-recording namespace: "{{ .Values.NAMESPACE }}" spec: replicas: 1 selector: matchLabels: io.kompose.service: nextcloud-aio-talk-recording strategy: type: Recreate template: metadata: annotations: kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}" kompose.version: 1.34.0 (cbf2835db) labels: io.kompose.service: nextcloud-aio-talk-recording spec: securityContext: # The items below only work in pod context fsGroup: 122 fsGroupChangePolicy: "OnRootMismatch" # The items below work in both contexts runAsUser: 122 runAsGroup: 122 runAsNonRoot: true {{- if eq .Values.RPSS_ENABLED "yes" }} seccompProfile: type: RuntimeDefault {{- end }} containers: - env: - name: INTERNAL_SECRET value: "{{ .Values.TALK_INTERNAL_SECRET }}" - name: NC_DOMAIN value: "{{ .Values.NC_DOMAIN }}" - name: RECORDING_SECRET value: "{{ .Values.RECORDING_SECRET }}" - name: TZ value: "{{ .Values.TIMEZONE }}" image: nextcloud/aio-talk-recording:20241125_091756 name: nextcloud-aio-talk-recording ports: - containerPort: 1234 protocol: TCP securityContext: # The items below only work in container context allowPrivilegeEscalation: false capabilities: {{- if eq .Values.RPSS_ENABLED "yes" }} drop: ["ALL"] {{- else }} drop: ["NET_RAW"] {{- end }} add: ["NET_BIND_SERVICE"] volumeMounts: - mountPath: /tmp name: nextcloud-aio-talk-recording volumes: - name: nextcloud-aio-talk-recording persistentVolumeClaim: claimName: nextcloud-aio-talk-recording {{- end }}