From 04bd29701e73d621e8da95db77253466b865ccea Mon Sep 17 00:00:00 2001 From: Ultradesu Date: Mon, 4 May 2026 16:52:43 +0100 Subject: [PATCH] Added kanidm --- k8s/core/kanidm/app.yaml | 21 ++++++++ k8s/core/kanidm/certificate.yaml | 12 +++++ k8s/core/kanidm/configmap.yaml | 20 ++++++++ k8s/core/kanidm/ingress.yaml | 25 +++++++++ k8s/core/kanidm/kustomization.yaml | 10 ++++ k8s/core/kanidm/service.yaml | 15 ++++++ k8s/core/kanidm/statefulset.yaml | 82 ++++++++++++++++++++++++++++++ 7 files changed, 185 insertions(+) create mode 100644 k8s/core/kanidm/app.yaml create mode 100644 k8s/core/kanidm/certificate.yaml create mode 100644 k8s/core/kanidm/configmap.yaml create mode 100644 k8s/core/kanidm/ingress.yaml create mode 100644 k8s/core/kanidm/kustomization.yaml create mode 100644 k8s/core/kanidm/service.yaml create mode 100644 k8s/core/kanidm/statefulset.yaml diff --git a/k8s/core/kanidm/app.yaml b/k8s/core/kanidm/app.yaml new file mode 100644 index 0000000..3563df2 --- /dev/null +++ b/k8s/core/kanidm/app.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kanidm + namespace: argocd +spec: + project: core + destination: + namespace: kanidm + server: https://kubernetes.default.svc + source: + repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git + targetRevision: HEAD + path: k8s/core/kanidm + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/k8s/core/kanidm/certificate.yaml b/k8s/core/kanidm/certificate.yaml new file mode 100644 index 0000000..0e01b2d --- /dev/null +++ b/k8s/core/kanidm/certificate.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kanidm-tls +spec: + secretName: kanidm-tls + issuerRef: + name: letsencrypt + kind: ClusterIssuer + dnsNames: + - auth.hexor.cy diff --git a/k8s/core/kanidm/configmap.yaml b/k8s/core/kanidm/configmap.yaml new file mode 100644 index 0000000..bd7a96c --- /dev/null +++ b/k8s/core/kanidm/configmap.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kanidm-config +data: + server.toml: | + version = "2" + bindaddress = "[::]:443" + db_path = "/data/kanidm.db" + tls_chain = "/certs/tls.crt" + tls_key = "/certs/tls.key" + domain = "auth.hexor.cy" + origin = "https://auth.hexor.cy" + log_level = "info" + + [online_backup] + path = "/data/backups/" + schedule = "00 22 * * *" + versions = 7 diff --git a/k8s/core/kanidm/ingress.yaml b/k8s/core/kanidm/ingress.yaml new file mode 100644 index 0000000..16edc4e --- /dev/null +++ b/k8s/core/kanidm/ingress.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kanidm + annotations: + cert-manager.io/cluster-issuer: letsencrypt + traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + tls: + - hosts: + - auth.hexor.cy + secretName: kanidm-ingress-tls + rules: + - host: auth.hexor.cy + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: kanidm + port: + number: 443 diff --git a/k8s/core/kanidm/kustomization.yaml b/k8s/core/kanidm/kustomization.yaml new file mode 100644 index 0000000..207b203 --- /dev/null +++ b/k8s/core/kanidm/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - app.yaml + - configmap.yaml + - certificate.yaml + - statefulset.yaml + - service.yaml + - ingress.yaml diff --git a/k8s/core/kanidm/service.yaml b/k8s/core/kanidm/service.yaml new file mode 100644 index 0000000..5465aad --- /dev/null +++ b/k8s/core/kanidm/service.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: kanidm + labels: + app: kanidm +spec: + ports: + - name: https + port: 443 + targetPort: 443 + protocol: TCP + selector: + app: kanidm diff --git a/k8s/core/kanidm/statefulset.yaml b/k8s/core/kanidm/statefulset.yaml new file mode 100644 index 0000000..7bdbdcb --- /dev/null +++ b/k8s/core/kanidm/statefulset.yaml @@ -0,0 +1,82 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: kanidm + labels: + app: kanidm +spec: + serviceName: kanidm + replicas: 1 + selector: + matchLabels: + app: kanidm + template: + metadata: + labels: + app: kanidm + spec: + containers: + - name: kanidm + image: kanidm/server:1.5.0 + ports: + - containerPort: 443 + name: https + protocol: TCP + volumeMounts: + - name: kanidm-data + mountPath: /data + - name: kanidm-config + mountPath: /data/server.toml + subPath: server.toml + readOnly: true + - name: kanidm-tls + mountPath: /certs + readOnly: true + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "500m" + readinessProbe: + httpGet: + path: /status + port: 443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /status + port: 443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 30 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsUser: 1000 + runAsGroup: 1000 + volumes: + - name: kanidm-config + configMap: + name: kanidm-config + - name: kanidm-tls + secret: + secretName: kanidm-tls + nodeSelector: + kubernetes.io/hostname: master.tail2fe2d.ts.net + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + volumeClaimTemplates: + - metadata: + name: kanidm-data + spec: + accessModes: ["ReadWriteOnce"] + storageClassName: longhorn + resources: + requests: + storage: 1Gi