--- apiVersion: apps/v1 kind: StatefulSet metadata: name: kanidm labels: app: kanidm spec: serviceName: kanidm replicas: 1 selector: matchLabels: app: kanidm template: metadata: labels: app: kanidm spec: securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 containers: - name: kanidm image: kanidm/server:1.9.3 ports: - containerPort: 443 name: https protocol: TCP volumeMounts: - name: kanidm-data mountPath: /data - name: kanidm-config mountPath: /data/server.toml subPath: server.toml readOnly: true - name: kanidm-tls mountPath: /certs readOnly: true resources: requests: memory: "128Mi" cpu: "100m" limits: memory: "512Mi" cpu: "500m" readinessProbe: httpGet: path: /status port: 443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: httpGet: path: /status port: 443 scheme: HTTPS initialDelaySeconds: 15 periodSeconds: 30 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: false runAsUser: 1000 runAsGroup: 1000 volumes: - name: kanidm-config configMap: name: kanidm-config - name: kanidm-tls secret: secretName: kanidm-tls nodeSelector: kubernetes.io/hostname: master.tail2fe2d.ts.net tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule volumeClaimTemplates: - metadata: name: kanidm-data spec: accessModes: ["ReadWriteOnce"] storageClassName: longhorn resources: requests: storage: 1Gi