--- apiVersion: apps/v1 kind: StatefulSet metadata: name: kanidm namespace: kanidm annotations: reloader.stakater.com/auto: "true" labels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm spec: serviceName: kanidm-headless replicas: 3 selector: matchLabels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm template: metadata: labels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm spec: serviceAccountName: kanidm affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm topologyKey: kubernetes.io/hostname securityContext: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true fsGroup: 1000 initContainers: - name: config-init image: busybox:1.36 command: ["/bin/sh", "-c"] args: - | set -e cp "/config-template/server-${POD_NAME##*-}.toml" /config/server.toml for peer in kanidm-0 kanidm-1 kanidm-2; do [ "${peer}" = "${POD_NAME}" ] && continue cert_file="/repl-certs/${peer}" [ -s "${cert_file}" ] || continue fqdn="${peer}.kanidm-headless.kanidm.svc.cluster.local" printf '\n[replication."repl://%s:8444"]\ntype = "mutual-pull"\npartner_cert = "%s"\n' \ "${fqdn}" "$(cat ${cert_file})" >> /config/server.toml done env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name volumeMounts: - name: config-template mountPath: /config-template readOnly: true - name: config mountPath: /config - name: repl-certs mountPath: /repl-certs readOnly: true securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true containers: - name: kanidm image: kanidm/server:1.10.3 command: ["/sbin/kanidmd"] args: ["server", "-c", "/config/server.toml"] ports: - name: https containerPort: 8443 protocol: TCP - name: replication containerPort: 8444 protocol: TCP volumeMounts: - name: data mountPath: /data - name: config mountPath: /config readOnly: true - name: tls mountPath: /data/tls readOnly: true securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false resources: requests: memory: 256Mi cpu: 100m limits: memory: 1Gi cpu: 500m readinessProbe: tcpSocket: port: 8443 initialDelaySeconds: 15 periodSeconds: 10 livenessProbe: tcpSocket: port: 8443 initialDelaySeconds: 30 periodSeconds: 30 volumes: - name: config-template configMap: name: kanidm-config - name: config emptyDir: {} - name: repl-certs secret: secretName: kanidm-repl-certs - name: tls secret: secretName: kanidm-tls volumeClaimTemplates: - metadata: name: data spec: accessModes: [ReadWriteOnce] storageClassName: cephrbd-fast-delete resources: requests: storage: 10Gi