grpc/tools/run_tests/xds_k8s_test_driver/kubernetes-manifests/server-secure.deployment.yaml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ${deployment_name}
  namespace: ${namespace_name}
  labels:
    app: ${deployment_name}
    owner: xds-k8s-interop-test
spec:
  replicas: ${replica_count}
  selector:
    matchLabels:
      app: ${deployment_name}
  template:
    metadata:
      labels:
        app: ${deployment_name}
        owner: xds-k8s-interop-test
    spec:
      serviceAccountName: ${service_account_name}
      containers:
      - name: ${deployment_name}
        image: ${image_name}
        imagePullPolicy: Always
        args:
          - "--port=${test_port}"
          - "--maintenance_port=${maintenance_port}"
          - "--secure_mode=${secure_mode}"
        ports:
          - containerPort: ${test_port}
          - containerPort: ${maintenance_port}
        env:
          - name: GRPC_XDS_BOOTSTRAP
            value: "/tmp/grpc-xds/td-grpc-bootstrap.json"
          - name: GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT
            value: "true"
          - name: GRPC_XDS_EXPERIMENTAL_V3_SUPPORT
            value: "true"
          # TODO(sergiitk): this should be conditional for if version < v1.37.x
          - name: GRPC_XDS_EXPERIMENTAL_NEW_SERVER_API
            value: "true"
        volumeMounts:
          - mountPath: /tmp/grpc-xds/
            name: grpc-td-conf
            readOnly: true
          - mountPath: /var/run/gke-spiffe/certs
            name: gke-spiffe-certs-volume
            readOnly: true
        resources:
          limits:
            cpu: 800m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 512Mi
      initContainers:
        - name: grpc-td-init
          image: ${td_bootstrap_image}
          imagePullPolicy: Always
          args:
            - "--output=/tmp/bootstrap/td-grpc-bootstrap.json"
            - "--vpc-network-name=${network}"
            % if xds_server_uri:
            - "--xds-server-uri=${xds_server_uri}"
            % endif
            - "--include-v3-features-experimental"
            - "--include-psm-security-experimental"
            - "--node-metadata-experimental=app=${namespace_name}-${deployment_name}"
          resources:
            limits:
              cpu: 100m
              memory: 100Mi
            requests:
              cpu: 10m
              memory: 100Mi
          volumeMounts:
            - mountPath: /tmp/bootstrap/
              name: grpc-td-conf
      volumes:
        - name: grpc-td-conf
          emptyDir:
            medium: Memory
        - name: gke-spiffe-certs-volume
          csi:
            driver: certs.spiffe.gke.io
...