121 lines
4.1 KiB
YAML
121 lines
4.1 KiB
YAML
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: rauthy
|
|
namespace: rauthy
|
|
labels:
|
|
app: rauthy
|
|
spec:
|
|
serviceName: rauthy
|
|
# Do not just scale up replicas without a proper HA Setup
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: rauthy
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: rauthy
|
|
spec:
|
|
securityContext:
|
|
fsGroup: 10001
|
|
containers:
|
|
- name: rauthy
|
|
image: ghcr.io/sebadob/rauthy:0.19.1-lite
|
|
imagePullPolicy: IfNotPresent
|
|
securityContext:
|
|
# User ID 10001 is actually built into the container at the creation for
|
|
# better security
|
|
runAsUser: 10001
|
|
runAsGroup: 10001
|
|
allowPrivilegeEscalation: false
|
|
ports:
|
|
- containerPort: 8000
|
|
# You may need to adjust this, if you decide to start in https only mode
|
|
# or use another port
|
|
- containerPort: 8080
|
|
- containerPort: 8443
|
|
env:
|
|
- name: DATABASE_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: rauthy-secrets
|
|
key: DATABASE_URL
|
|
- name: ENC_KEYS
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: rauthy-secrets
|
|
key: ENC_KEYS
|
|
- name: SMTP_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: rauthy-secrets
|
|
key: SMTP_PASSWORD
|
|
volumeMounts:
|
|
- mountPath: /app/data
|
|
name: rauthy-data
|
|
readOnly: false
|
|
- mountPath: /app/rauthy.cfg
|
|
subPath: rauthy.cfg
|
|
name: rauthy-config
|
|
readOnly: true
|
|
readinessProbe:
|
|
httpGet:
|
|
# You may need to adjust this, if you decide to start in https only
|
|
# mode or use another port
|
|
scheme: HTTP
|
|
port: 8080
|
|
#scheme: HTTPS
|
|
#port: 8443
|
|
path: /auth/v1/ping
|
|
initialDelaySeconds: 1
|
|
periodSeconds: 10
|
|
livenessProbe:
|
|
httpGet:
|
|
# You may need to adjust this, if you decide to start in https only
|
|
# mode or use another port
|
|
scheme: HTTP
|
|
port: 8080
|
|
#scheme: HTTPS
|
|
#port: 8443
|
|
path: /auth/v1/health
|
|
initialDelaySeconds: 1
|
|
periodSeconds: 30
|
|
resources:
|
|
requests:
|
|
# Tune the memory requests value carefully. Make sure, that the
|
|
# pods request at least:
|
|
# `ARGON2_M_COST` / 1024 * `MAX_HASH_THREADS` Mi
|
|
# With SQLite: for small deployments, add additional ~20-30Mi for
|
|
# "the rest", for larger ones ~50-70 Mi should be enough.
|
|
memory: 64Mi
|
|
# The CPU needs to be adjusted during runtime. This heavily
|
|
# depends on your use case.
|
|
cpu: 100m
|
|
limits:
|
|
# Be careful with the memory limit. You must make sure, that the
|
|
# (very costly) password hashing has enough memory available. If not,
|
|
# the application will crash. You do not really need a memory limit,
|
|
# since Rust is not a garbage collected language. Better take a close
|
|
# look at what the container actually needs during
|
|
# prime time and set the requested resources above properly.
|
|
#memory:
|
|
# A CPU limit may make sense in case of DDoS attacks or something
|
|
# like this, if you do not have external rate limiting or other
|
|
# mechanisms. Otherwise, `MAX_HASH_THREADS` is the main mechanism
|
|
# to limit resources.
|
|
cpu: 1000m
|
|
volumes:
|
|
- name: rauthy-config
|
|
configMap:
|
|
name: rauthy-config
|
|
volumeClaimTemplates:
|
|
- metadata:
|
|
name: rauthy-data
|
|
spec:
|
|
accessModes:
|
|
- "ReadWriteOnce"
|
|
resources:
|
|
requests:
|
|
storage: 128Mi
|
|
#storageClassName: provideIfYouHaveMultipleOnes |