apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kanidm.fullname" . }}
labels:
{{- include "kanidm.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "kanidm.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "kanidm.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "kanidm.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
shareProcessNamespace: true
initContainers:
- name: {{ .Chart.Name }}-certs
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
command:
- bash
- -c
- kanidmd cert-generate
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: kanidm-data
mountPath: "/data"
- name: kanidm-config
mountPath: /data/server.toml
subPath: server.toml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: {{ .Chart.Name }}-db-pass
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
command:
- bash
- -c
- |
zypper install -y gawk kubernetes-client
/sbin/kanidmd server -c /data/server.toml &
serverPID=$!
until curl -k --output /dev/null --silent --head --fail https://localhost:8443; do
printf '.'
sleep 5
done
ADMIN_PASS=$(kanidmd recover-account admin 2>/dev/null | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
IDM_ADMIN_PASS=$(kanidmd recover-account idm_admin 2>/dev/null | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
kill $serverPID
kubectl delete secret kanidm-passwords --ignore-not-found
kubectl create secret generic kanidm-passwords --from-literal=admin="$ADMIN_PASS" --from-literal=idm_admin="$IDM_ADMIN_PASS"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: kanidm-data
mountPath: "/data"
- name: kanidm-config
mountPath: /data/server.toml
subPath: server.toml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: kanidm-data
mountPath: "/data"
- name: kanidm-config
mountPath: /data/server.toml
subPath: server.toml
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: kanidm-data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "kanidm.fullname" .) }}-data
{{- else }}
emptyDir: {}
{{- end }}
- name: kanidm-config
configMap:
name: {{ include "kanidm.fullname" . }}-config
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}