kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "kanidm.fullname" . }}-config
labels:
{{- include "kanidm.labels" . | nindent 4 }}
data:
server.toml: |
# The webserver bind address. Requires TLS certificates.
# If the port is set to 443 you may require the
# NET_BIND_SERVICE capability.
# Defaults to "127.0.0.1:8443"
bindaddress = "{{ tpl .Values.kanidm.bindaddress $ }}"
#
{{- if .Values.kanidmLdap.enabled }}
# The read-only ldap server bind address. Requires
# TLS certificates. If set to 636 you may require
# the NET_BIND_SERVICE capability.
# Defaults to "" (disabled)
dapbindaddress = "{{ .Values.kanidmLdap.dapbindaddress }}"
{{- else }}
# ldapbindaddress = "[::]:3636"
{{- end }}
#
# HTTPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# will often add a header such as "Forwarded" or
# "X-Forwarded-For". If set to true, then this header is
# respected as the "authoritative" source of the IP of the
# connected client. If you are not using a load balancer
# then you should leave this value as default.
# Defaults to false
trust_x_forward_for = {{ .Values.kanidm.trust_x_forward_for }}
#
# The path to the kanidm database.
db_path = "{{ .Values.kanidm.db_path }}"
#
# If you have a known filesystem, kanidm can tune the
# database page size to match. Valid choices are:
# [zfs, other]
# If you are unsure about this leave it as the default
# (other). After changing this
# value you must run a vacuum task.
# - zfs:
# * sets database pagesize to 64k. You must set
# recordsize=64k on the zfs filesystem.
# - other:
# * sets database pagesize to 4k, matching most
# filesystems block sizes.
{{- if .Values.kanidm.db_fs_type }}
db_fs_type = "{{ .Values.kanidm.db_fs_type }}"
{{- else }}
# db_fs_type = "zfs"
{{- end }}
#
# The number of entries to store in the in-memory cache.
# Minimum value is 256. If unset
# an automatic heuristic is used to scale this.
# You should only adjust this value if you experience
# memory pressure on your system.
{{- if .Values.kanidm.db_arc_size }}
db_arc_size = {{ .Values.kanidm.db_arc_size }}
{{- else }}
# db_arc_size = 2048
{{- end }}
#
# TLS chain and key in pem format. Both must be present.
# If the server receives a SIGHUP, these files will be
# re-read and reloaded if their content is valid.
tls_chain = "{{ .Values.kanidm.tls_chain }}"
tls_key = "{{ .Values.kanidm.tls_key }}"
#
# The log level of the server. May be one of info, debug, trace
#
# NOTE: this can be overridden by the environment variable
# `KANIDM_LOG_LEVEL` at runtime
# Defaults to "info"
log_level = "{{ .Values.kanidm.log_level }}"
#
# The DNS domain name of the server. This is used in a
# number of security-critical contexts
# such as webauthn, so it *must* match your DNS
# hostname. It is used to create
# security principal names such as `william@idm.example.com`
# so that in a (future) trust configuration it is possible
# to have unique Security Principal Names (spns) throughout
# the topology.
#
# ⚠️ WARNING ⚠️
#
# Changing this value WILL break many types of registered
# credentials for accounts including but not limited to
# webauthn, oauth tokens, and more.
# If you change this value you *must* run
# `kanidmd domain rename` immediately after.
domain = "{{ tpl .Values.kanidm.domain $ }}"
#
# The origin for webauthn. This is the url to the server,
# with the port included if it is non-standard (any port
# except 443). This must match or be a descendent of the
# domain name you configure above. If these two items are
# not consistent, the server WILL refuse to start!
# origin = "https://idm.example.com"
origin = "https://{{ tpl .Values.kanidm.domain $ }}:{{ .Values.service.port }}"
#
{{- if .Values.kanidmOnlineBackup.enabled }}
[online_backup]
# The path to the output folder for online backups
path = "{{ .Values.kanidmOnlineBackup.path }}"
# The schedule to run online backups (see https://crontab.guru/)
# every day at 22:00 UTC (default)
schedule = "{{ .Values.kanidmOnlineBackup.schedule }}"
# four times a day at 3 minutes past the hour, every 6th hours
# schedule = "03 */6 * * *"
# We also support non standard cron syntax, with the following format:
# sec min hour day of month month day of week year
# (it's very similar to the standard cron syntax, it just allows to specify the seconds
# at the beginning and the year at the end)
# Number of backups to keep (default 7)
versions = {{ .Values.kanidmOnlineBackup.versions }}
{{- end }}