diff --git a/apps/base/kanidm/kustomization.yaml b/apps/base/kanidm/kustomization.yaml index 6608e74..7f64266 100644 --- a/apps/base/kanidm/kustomization.yaml +++ b/apps/base/kanidm/kustomization.yaml @@ -25,5 +25,3 @@ configMapGenerator: app.kubernetes.io/instance: kanidm files: - server-0.toml=resources/server-0.toml - - server-1.toml=resources/server-1.toml - - server-2.toml=resources/server-2.toml diff --git a/apps/base/kanidm/resources/server-0.toml b/apps/base/kanidm/resources/server-0.toml index 8aba04e..dac4356 100644 --- a/apps/base/kanidm/resources/server-0.toml +++ b/apps/base/kanidm/resources/server-0.toml @@ -13,7 +13,3 @@ log_level = "info" path = "/data/backups/" schedule = "0 22 * * *" versions = 7 - -[replication] -origin = "repl://kanidm-0.kanidm-headless.kanidm.svc.cluster.local:8444" -bindaddress = "[::]:8444" diff --git a/apps/base/kanidm/resources/server-1.toml b/apps/base/kanidm/resources/server-1.toml deleted file mode 100644 index 44aa47d..0000000 --- a/apps/base/kanidm/resources/server-1.toml +++ /dev/null @@ -1,19 +0,0 @@ -version = "2" - -domain = "auth.unkin.net" -origin = "https://auth.unkin.net" -bindaddress = "[::]:8443" -db_path = "/data/kanidm.db" -db_arc_size = 2048 -tls_chain = "/data/tls/tls.crt" -tls_key = "/data/tls/tls.key" -log_level = "info" - -[online_backup] -path = "/data/backups/" -schedule = "0 22 * * *" -versions = 7 - -[replication] -origin = "repl://kanidm-1.kanidm-headless.kanidm.svc.cluster.local:8444" -bindaddress = "[::]:8444" diff --git a/apps/base/kanidm/resources/server-2.toml b/apps/base/kanidm/resources/server-2.toml deleted file mode 100644 index 808f436..0000000 --- a/apps/base/kanidm/resources/server-2.toml +++ /dev/null @@ -1,19 +0,0 @@ -version = "2" - -domain = "auth.unkin.net" -origin = "https://auth.unkin.net" -bindaddress = "[::]:8443" -db_path = "/data/kanidm.db" -db_arc_size = 2048 -tls_chain = "/data/tls/tls.crt" -tls_key = "/data/tls/tls.key" -log_level = "info" - -[online_backup] -path = "/data/backups/" -schedule = "0 22 * * *" -versions = 7 - -[replication] -origin = "repl://kanidm-2.kanidm-headless.kanidm.svc.cluster.local:8444" -bindaddress = "[::]:8444" diff --git a/apps/base/kanidm/service.yaml b/apps/base/kanidm/service.yaml index 3467ef8..9b96a36 100644 --- a/apps/base/kanidm/service.yaml +++ b/apps/base/kanidm/service.yaml @@ -38,10 +38,6 @@ spec: port: 8443 targetPort: https protocol: TCP - - name: replication - port: 8444 - targetPort: replication - protocol: TCP selector: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm diff --git a/apps/base/kanidm/statefulset.yaml b/apps/base/kanidm/statefulset.yaml index 3fe8f2c..cc42fb6 100644 --- a/apps/base/kanidm/statefulset.yaml +++ b/apps/base/kanidm/statefulset.yaml @@ -11,7 +11,7 @@ metadata: app.kubernetes.io/instance: kanidm spec: serviceName: kanidm-headless - replicas: 3 + replicas: 1 selector: matchLabels: app.kubernetes.io/name: kanidm @@ -23,61 +23,11 @@ spec: app.kubernetes.io/instance: kanidm spec: serviceAccountName: kanidm - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app.kubernetes.io/name: kanidm - app.kubernetes.io/instance: kanidm - topologyKey: kubernetes.io/hostname securityContext: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true fsGroup: 1000 - initContainers: - - name: config-init - image: busybox:1.36 - command: ["/bin/sh", "-c"] - args: - - | - set -e - cp "/config-template/server-${POD_NAME##*-}.toml" /config/server.toml - if [ "${POD_NAME}" = "kanidm-0" ]; then - peers="kanidm-1 kanidm-2" - else - peers="kanidm-0" - fi - for peer in ${peers}; do - cert_file="/repl-certs/${peer}" - [ -s "${cert_file}" ] || continue - fqdn="${peer}.kanidm-headless.kanidm.svc.cluster.local" - if [ "${peer}" = "kanidm-0" ]; then - printf '\n[replication."repl://%s:8444"]\ntype = "mutual-pull"\npartner_cert = "%s"\nautomatic_refresh = true\n' \ - "${fqdn}" "$(cat ${cert_file})" >> /config/server.toml - else - printf '\n[replication."repl://%s:8444"]\ntype = "mutual-pull"\npartner_cert = "%s"\n' \ - "${fqdn}" "$(cat ${cert_file})" >> /config/server.toml - fi - done - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - volumeMounts: - - name: config-template - mountPath: /config-template - readOnly: true - - name: config - mountPath: /config - - name: repl-certs - mountPath: /repl-certs - readOnly: true - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true containers: - name: kanidm image: kanidm/server:1.10.3 @@ -87,14 +37,12 @@ spec: - name: https containerPort: 8443 protocol: TCP - - name: replication - containerPort: 8444 - protocol: TCP volumeMounts: - name: data mountPath: /data - name: config - mountPath: /config + mountPath: /config/server.toml + subPath: server-0.toml readOnly: true - name: tls mountPath: /data/tls @@ -120,14 +68,9 @@ spec: initialDelaySeconds: 30 periodSeconds: 30 volumes: - - name: config-template + - name: config configMap: name: kanidm-config - - name: config - emptyDir: {} - - name: repl-certs - secret: - secretName: kanidm-repl-certs - name: tls secret: secretName: kanidm-tls