--- apiVersion: apps/v1 kind: StatefulSet metadata: name: kanidm namespace: kanidm labels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm spec: serviceName: kanidm-headless replicas: 3 selector: matchLabels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm template: metadata: labels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm spec: serviceAccountName: kanidm affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm topologyKey: kubernetes.io/hostname securityContext: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true fsGroup: 1000 initContainers: - name: config-init image: kanidm/server:1.10.3 command: ["/bin/sh", "-c"] args: - | set -e REPL_ORIGIN="repl://${POD_NAME}.kanidm-headless.kanidm.svc.cluster.local:8444" sed "s|__REPL_ORIGIN__|${REPL_ORIGIN}|g" /config-template/server.toml > /config/server.toml for peer in kanidm-0 kanidm-1 kanidm-2; do if [ "${peer}" = "${POD_NAME}" ]; then continue fi cert_file="/repl-certs/${peer}" if [ -s "${cert_file}" ]; then fqdn="${peer}.kanidm-headless.kanidm.svc.cluster.local" printf '\n[replication."repl://%s:8444"]\ntype = "mutual-pull"\npartner_cert = "%s"\n' \ "${fqdn}" "$(cat ${cert_file})" >> /config/server.toml fi done env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name volumeMounts: - name: config-template mountPath: /config-template - name: config mountPath: /config - name: repl-certs mountPath: /repl-certs readOnly: true securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - name: repl-cert-publisher image: bitnami/kubectl:1.33 restartPolicy: Always command: ["/bin/sh", "-c"] args: - | until kubectl exec "${POD_NAME}" -c kanidm -- /sbin/kanidmd renew-replication-certificate 2>/dev/null | grep -q '^# certificate:'; do sleep 30 done while true; do cert=$(kubectl exec "${POD_NAME}" -c kanidm -- /sbin/kanidmd renew-replication-certificate 2>/dev/null \ | grep '^# certificate:' | sed 's/^# certificate: "\(.*\)"$/\1/') if [ -n "${cert}" ]; then kubectl patch configmap kanidm-repl-certs \ --type=merge \ -p "{\"data\":{\"${POD_NAME}\":\"${cert}\"}}" fi sleep 3600 done env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false containers: - name: kanidm image: kanidm/server:1.10.3 command: ["/sbin/kanidmd"] args: ["server", "-c", "/config/server.toml"] ports: - name: https containerPort: 8443 protocol: TCP - name: replication containerPort: 8444 protocol: TCP volumeMounts: - name: data mountPath: /data - name: config mountPath: /config readOnly: true - name: tls mountPath: /data/tls readOnly: true securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false resources: requests: memory: 256Mi cpu: 100m limits: memory: 1Gi cpu: 500m readinessProbe: tcpSocket: port: 8443 initialDelaySeconds: 15 periodSeconds: 10 livenessProbe: tcpSocket: port: 8443 initialDelaySeconds: 30 periodSeconds: 30 volumes: - name: config-template configMap: name: kanidm-config - name: config emptyDir: {} - name: repl-certs configMap: name: kanidm-repl-certs - name: tls secret: secretName: kanidm-tls volumeClaimTemplates: - metadata: name: data spec: accessModes: [ReadWriteOnce] storageClassName: cephrbd-fast-delete resources: requests: storage: 10Gi