titan-iac/services/openldap/statefulset.yaml

# services/openldap/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: openldap
  namespace: sso
  labels:
    app: openldap
spec:
  serviceName: openldap
  replicas: 1
  selector:
    matchLabels:
      app: openldap
  template:
    metadata:
      labels:
        app: openldap
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "sso"
        vault.hashicorp.com/agent-inject-secret-openldap-env: "kv/data/atlas/sso/openldap-admin"
        vault.hashicorp.com/agent-inject-template-openldap-env: |
          {{- with secret "kv/data/atlas/sso/openldap-admin" -}}
          export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
          export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
          {{- end -}}
    spec:
      nodeSelector:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      serviceAccountName: sso-vault
      containers:
        - name: openldap
          image: docker.io/osixia/openldap:1.5.0
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -eu
              . /vault/secrets/openldap-env
              exec /usr/bin/python3 -u /container/tool/run
          ports:
            - name: ldap
              containerPort: 389
            - name: ldaps
              containerPort: 636
          env:
            - name: LDAP_ORGANISATION
              value: Atlas
            - name: LDAP_DOMAIN
              value: bstein.dev
          readinessProbe:
            tcpSocket:
              port: ldap
            initialDelaySeconds: 10
            periodSeconds: 10
          livenessProbe:
            tcpSocket:
              port: ldap
            initialDelaySeconds: 30
            periodSeconds: 20
          volumeMounts:
            - name: ldap-data
              mountPath: /var/lib/ldap
            - name: slapd-config
              mountPath: /etc/ldap/slapd.d
  volumeClaimTemplates:
    - metadata:
        name: ldap-data
      spec:
        accessModes:
          - ReadWriteOnce
        storageClassName: astreae
        resources:
          requests:
            storage: 1Gi
    - metadata:
        name: slapd-config
      spec:
        accessModes:
          - ReadWriteOnce
        storageClassName: astreae
        resources:
          requests:
            storage: 1Gi
sso(openldap): restore in-cluster LDAP 2026-01-01 11:37:52 -03:00			`# services/openldap/statefulset.yaml`
			`apiVersion: apps/v1`
			`kind: StatefulSet`
			`metadata:`
			`name: openldap`
			`namespace: sso`
			`labels:`
			`app: openldap`
			`spec:`
			`serviceName: openldap`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: openldap`
			`template:`
			`metadata:`
			`labels:`
			`app: openldap`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
			`vault.hashicorp.com/role: "sso"`
			`vault.hashicorp.com/agent-inject-secret-openldap-env: "kv/data/atlas/sso/openldap-admin"`
			`vault.hashicorp.com/agent-inject-template-openldap-env: \|`
			`{{- with secret "kv/data/atlas/sso/openldap-admin" -}}`
			`export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"`
			`export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"`
			`{{- end -}}`
sso(openldap): restore in-cluster LDAP 2026-01-01 11:37:52 -03:00			`spec:`
			`nodeSelector:`
			`kubernetes.io/arch: arm64`
			`node-role.kubernetes.io/worker: "true"`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`serviceAccountName: sso-vault`
sso(openldap): restore in-cluster LDAP 2026-01-01 11:37:52 -03:00			`containers:`
			`- name: openldap`
			`image: docker.io/osixia/openldap:1.5.0`
			`imagePullPolicy: IfNotPresent`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`set -eu`
			`. /vault/secrets/openldap-env`
			`exec /usr/bin/python3 -u /container/tool/run`
sso(openldap): restore in-cluster LDAP 2026-01-01 11:37:52 -03:00			`ports:`
			`- name: ldap`
			`containerPort: 389`
			`- name: ldaps`
			`containerPort: 636`
			`env:`
			`- name: LDAP_ORGANISATION`
			`value: Atlas`
			`- name: LDAP_DOMAIN`
			`value: bstein.dev`
			`readinessProbe:`
			`tcpSocket:`
			`port: ldap`
			`initialDelaySeconds: 10`
			`periodSeconds: 10`
			`livenessProbe:`
			`tcpSocket:`
			`port: ldap`
			`initialDelaySeconds: 30`
			`periodSeconds: 20`
			`volumeMounts:`
			`- name: ldap-data`
			`mountPath: /var/lib/ldap`
			`- name: slapd-config`
			`mountPath: /etc/ldap/slapd.d`
			`volumeClaimTemplates:`
			`- metadata:`
			`name: ldap-data`
			`spec:`
			`accessModes:`
			`- ReadWriteOnce`
			`storageClassName: astreae`
			`resources:`
			`requests:`
			`storage: 1Gi`
			`- metadata:`
			`name: slapd-config`
			`spec:`
			`accessModes:`
			`- ReadWriteOnce`
			`storageClassName: astreae`
			`resources:`
			`requests:`
			`storage: 1Gi`