app-template:
  controllers:
    main:
      type: statefulset
      containers:
        main:
          image:
            repository: docker.io/kanidm/server
            tag: 1.1.0-rc.15
      statefulset:
        volumeClaimTemplates:
          - name: data
            size: 1Gi
            globalMounts:
              - path: /data
            accessMode: "ReadWriteOnce"
  configMaps:
    config:
      enabled: true
      data:
        server.toml: |
          bindaddress = "[::]:443"
          ldapbindaddress = "[::]:636"
          # trust_x_forward_for = false
          db_path = "/data/kanidm.db"
          tls_chain = "/data/ca.crt"
          tls_key = "/data/tls.key"
          domain = "auth.khuedoan.com"
          origin = "https://auth.khuedoan.com"
  service:
    main:
      ports:
        http:
          enabled: false
        https:
          port: 443
          protocol: HTTPS
        ldap:
          port: 636
          protocol: TCP
  ingress:
    main:
      enabled: true
      className: nginx
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-prod
        nginx.ingress.kubernetes.io/backend-protocol: HTTPS
      hosts:
        - host: &host auth.khuedoan.com
          paths:
            - path: /
              pathType: Prefix
              service:
                name: main
                port: https
      tls:
        - hosts:
            - *host
          secretName: kanidm-tls-certificate
  persistence:
    config:
      enabled: true
      type: configMap
      name: kanidm-config
      globalMounts:
        - path: /data/server.toml
          subPath: server.toml
    tls:
      enabled: true
      type: secret
      name: kanidm-selfsigned-certificate
      globalMounts:
        - path: /data/ca.crt
          subPath: ca.crt
        - path: /data/tls.key
          subPath: tls.key