foundation/apps/lldap/base/deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: lldap
  namespace: lldap
  labels:
    app.kubernetes.io/name: lldap
    app.kubernetes.io/instance: lldap
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: lldap
      app.kubernetes.io/instance: lldap
  template:
    metadata:
      labels:
        app.kubernetes.io/name: lldap
        app.kubernetes.io/instance: lldap
    spec:
      topologySpreadConstraints:
        - maxSkew: 1
          topologyKey: kubernetes.io/hostname
          whenUnsatisfiable: DoNotSchedule
          labelSelector:
            matchLabels:
              app.kubernetes.io/name: lldap
              app.kubernetes.io/instance: lldap
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: lldap
          image: lldap/lldap:2025-12-12-alpine-rootless
          env:
            - name: LLDAP_LDAP_BASE_DN
              value: dc=huizinga,dc=dev
            - name: LLDAP_LDAP_USER_PASS
              valueFrom:
                secretKeyRef:
                  name: credentials
                  key: admin-pass
            - name: LLDAP_KEY_SEED
              valueFrom:
                secretKeyRef:
                  name: credentials
                  key: key-seed
            - name: LLDAP_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: credentials
                  key: jwt-secret
            - name: LLDAP_DATABASE_URL
              valueFrom:
                secretKeyRef:
                  name: lldap-db-app
                  key: uri
            - name: TZ
              value: CET
          livenessProbe:
            exec:
              command:
                - /app/lldap
                - healthcheck
            initialDelaySeconds: 5
            periodSeconds: 30
          ports:
            - name: ldap
              containerPort: 3890
            - name: web
              containerPort: 17170
          securityContext:
            allowPrivilegeEscalation: false
            runAsNonRoot: true
            capabilities:
              drop:
                - ALL