kanidm: fix probes and use 443 port by default

2025-04-11 16:01:20 +03:00 · 2025-04-11 16:01:20 +03:00 · 399eae0f1a
commit 399eae0f1a
parent 0d91f6f91d
3 changed files with 17 additions and 9 deletions
--- a/kanidm/templates/configmap.yaml
+++ b/kanidm/templates/configmap.yaml
@ -10,7 +10,7 @@ data:
    #   If the port is set to 443 you may require the
    #   NET_BIND_SERVICE capability.
    #   Defaults to "127.0.0.1:8443"
-    bindaddress = "{{ .Values.kanidm.bindaddress }}"
+    bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}"
    #
    {{- if .Values.kanidmLdap.enabled }}
    #   The read-only ldap server bind address. Requires
@ -101,7 +101,7 @@ data:
    #   domain name you configure above. If these two items are
    #   not consistent, the server WILL refuse to start!
    #   origin = "https://idm.example.com"
-    origin = "https://{{ tpl .Values.kanidm.domain $ }}:8443"
+    origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}"
    #
    {{- if .Values.kanidmOnlineBackup.enabled }}
    [online_backup]
--- a/kanidm/templates/deployment.yaml
+++ b/kanidm/templates/deployment.yaml
@ -8,13 +8,18 @@ spec:
  {{- if not .Values.autoscaling.enabled }}
  replicas: {{ .Values.replicaCount }}
  {{- end }}
+  {{- if .Values.strategy }}
+  strategy:
+  {{ toYaml .Values.strategy | indent 2 }}
+  {{- end }}
  selector:
    matchLabels:
      {{- include "kanidm.selectorLabels" . | nindent 6 }}
  template:
    metadata:
-      {{- with .Values.podAnnotations }}
      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
@ -61,7 +66,7 @@ spec:
              zypper install -y gawk kubernetes-client
              /sbin/kanidmd server -c /data/server.toml &
              serverPID=$!
-              until curl -k --output /dev/null --silent --head --fail https://localhost:8443; do
+              until curl -k --output /dev/null --silent --head --fail https://localhost:{{ .Values.service.port }}; do
                printf '.'
                sleep 5
              done
--- a/kanidm/values.yaml
+++ b/kanidm/values.yaml
@ -4,6 +4,9 @@

 replicaCount: 1

+strategy:
+  type: Recreate
+
 image:
  repository: docker.io/kanidm/server
  pullPolicy: IfNotPresent
@ -15,9 +18,9 @@ nameOverride: ""
 fullnameOverride: ""

 kanidm:
-  bindaddress: "[::]:8443"
+  bindaddress: "[::]:{{ .Values.service.port }}"
  domain: "idm.example.com"
-  #origin: "https://{{ .Values.kanidm.domain }}:8443
+  #origin: "https://{{ .Values.kanidm.domain }}:{{ .Values.service.port }}"
  trust_x_forward_for: true
  db_path: "/data/kanidm.db"
  #db_fs_type: "zfs"
@ -63,7 +66,7 @@ securityContext: {}

 service:
  type: ClusterIP
-  port: 8443
+  port: 443

 ingress:
  enabled: false
@ -116,12 +119,12 @@ resources: {}
 livenessProbe:
  httpGet:
    scheme: HTTPS
-    path: /
+    path: /status
    port: http
 readinessProbe:
  httpGet:
    scheme: HTTPS
-    path: /
+    path: /status
    port: http

 autoscaling: