--- apiVersion: apps/v1 kind: StatefulSet metadata: name: kanidm namespace: kanidm labels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm spec: serviceName: kanidm-headless replicas: 3 selector: matchLabels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm template: metadata: labels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm spec: serviceAccountName: kanidm affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm topologyKey: kubernetes.io/hostname securityContext: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true fsGroup: 1000 initContainers: - name: config-init image: busybox:1.36 command: ["/bin/sh", "-c"] args: - cp "/config-template/server-${POD_NAME##*-}.toml" /config/server.toml env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name volumeMounts: - name: config-template mountPath: /config-template readOnly: true - name: config mountPath: /config securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true containers: - name: kanidm image: kanidm/server:1.10.3 command: ["/sbin/kanidmd"] args: ["server", "-c", "/config/server.toml"] ports: - name: https containerPort: 8443 protocol: TCP - name: replication containerPort: 8444 protocol: TCP volumeMounts: - name: data mountPath: /data - name: config mountPath: /config readOnly: true - name: tls mountPath: /data/tls readOnly: true securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false resources: requests: memory: 256Mi cpu: 100m limits: memory: 1Gi cpu: 500m readinessProbe: tcpSocket: port: 8443 initialDelaySeconds: 15 periodSeconds: 10 livenessProbe: tcpSocket: port: 8443 initialDelaySeconds: 30 periodSeconds: 30 volumes: - name: config-template configMap: name: kanidm-config - name: config emptyDir: {} - name: tls secret: secretName: kanidm-tls volumeClaimTemplates: - metadata: name: data spec: accessModes: [ReadWriteOnce] storageClassName: cephrbd-fast-delete resources: requests: storage: 10Gi