--- apiVersion: apps/v1 kind: StatefulSet metadata: name: kanidm namespace: kanidm labels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm spec: serviceName: kanidm-headless replicas: 3 selector: matchLabels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm template: metadata: labels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm spec: serviceAccountName: kanidm affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm topologyKey: kubernetes.io/hostname securityContext: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true fsGroup: 1000 initContainers: - name: config-init image: ghcr.io/kanidm/server:1.10.3 command: ["/bin/sh", "-c"] args: - | set -e REPL_ORIGIN="repl://${POD_NAME}.kanidm-headless.kanidm.svc.cluster.local:8444" sed "s|__REPL_ORIGIN__|${REPL_ORIGIN}|g" /config-template/server.toml > /config/server.toml if [ -s /repl-peers/peers.toml ]; then cat /repl-peers/peers.toml >> /config/server.toml fi env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name volumeMounts: - name: config-template mountPath: /config-template - name: config mountPath: /config - name: repl-peers mountPath: /repl-peers securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true containers: - name: kanidm image: ghcr.io/kanidm/server:1.10.3 command: ["/sbin/kanidmd"] args: ["server", "-c", "/config/server.toml"] ports: - name: https containerPort: 8443 protocol: TCP - name: replication containerPort: 8444 protocol: TCP volumeMounts: - name: data mountPath: /data - name: config mountPath: /config readOnly: true - name: tls mountPath: /data/tls readOnly: true securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false resources: requests: memory: 256Mi cpu: 100m limits: memory: 1Gi cpu: 500m readinessProbe: tcpSocket: port: 8443 initialDelaySeconds: 15 periodSeconds: 10 livenessProbe: tcpSocket: port: 8443 initialDelaySeconds: 30 periodSeconds: 30 volumes: - name: config-template configMap: name: kanidm-config - name: config emptyDir: {} - name: repl-peers configMap: name: kanidm-repl-peers - name: tls secret: secretName: kanidm-tls volumeClaimTemplates: - metadata: name: data spec: accessModes: [ReadWriteOnce] storageClassName: cephrbd-fast-delete resources: requests: storage: 10Gi