helm-charts/kanidm/templates/deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "kanidm.fullname" . }}
  labels:
    {{- include "kanidm.labels" . | nindent 4 }}
spec:
  {{- if not .Values.autoscaling.enabled }}
  replicas: {{ .Values.replicaCount }}
  {{- end }}
  {{- if .Values.strategy }}
  strategy:
  {{ toYaml .Values.strategy | indent 2 }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "kanidm.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      annotations:
        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
      {{- with .Values.podAnnotations }}
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        {{- include "kanidm.labels" . | nindent 8 }}
        {{- with .Values.podLabels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "kanidm.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      shareProcessNamespace: true
      initContainers:
        - name: {{ .Chart.Name }}-certs
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          command:
            - bash
            - -c
            - kanidmd cert-generate
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          volumeMounts:
            - name: kanidm-data
              mountPath: "/data"
            - name: kanidm-config
              mountPath: /data/server.toml
              subPath: server.toml
          {{- with .Values.volumeMounts }}
            {{- toYaml . | nindent 12 }}
          {{- end }}
        - name: {{ .Chart.Name }}-db-pass
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          command:
            - sh
            - -c
            - |
              /sbin/kanidmd server -c /data/server.toml &
              serverPID=$!
              until curl -k --output /dev/null --silent --head --fail https://localhost:{{ .Values.service.port }}; do
                printf '.'
                sleep 5
              done

              echo "##### Start domain upgrade-check"
              /sbin/kanidmd domain upgrade-check
              echo "##### Done domain upgrade-check"

              ADMIN_PASS=$(kanidmd recover-account admin 2>/dev/null  | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
              IDM_ADMIN_PASS=$(kanidmd recover-account idm_admin 2>/dev/null  | gawk 'match($0, /new_password:(.*)/, a) { gsub(/ |"/, "", a[1]); print a[1]}')
              kill $serverPID
              kubectl delete secret kanidm-passwords --ignore-not-found
              kubectl create secret generic kanidm-passwords --from-literal=admin="$ADMIN_PASS" --from-literal=idm_admin="$IDM_ADMIN_PASS"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          volumeMounts:
            - name: kanidm-data
              mountPath: "/data"
            - name: kanidm-config
              mountPath: /data/server.toml
              subPath: server.toml
          {{- with .Values.volumeMounts }}
            {{- toYaml . | nindent 12 }}
          {{- end }}
      containers:
        - name: {{ .Chart.Name }}
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          ports:
            - name: http
              containerPort: {{ .Values.service.port }}
              protocol: TCP
          {{- if .Values.kanidmLdap.enabled }}
            - name: ldap
              containerPort: {{ .Values.service.ldap }}
              protocol: TCP
          {{- end }}
          livenessProbe:
            {{- toYaml .Values.livenessProbe | nindent 12 }}
          readinessProbe:
            {{- toYaml .Values.readinessProbe | nindent 12 }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
            - name: kanidm-data
              mountPath: "/data"
            - name: kanidm-config
              mountPath: /data/server.toml
              subPath: server.toml
          {{- with .Values.volumeMounts }}
            {{- toYaml . | nindent 12 }}
          {{- end }}
      volumes:
        - name: kanidm-data
          {{- if .Values.persistence.enabled }}
          persistentVolumeClaim:
            claimName: {{ .Values.persistence.existingClaim | default (include "kanidm.fullname" .) }}-data
          {{- else }}
          emptyDir: {}
          {{- end }}
        - name: kanidm-config
          configMap:
            name: {{ include "kanidm.fullname" . }}-config
      {{- with .Values.volumes }}
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}