feat(kanidm): automate replication cert exchange via native sidecar

Add a native sidecar (bitnami/kubectl, restartPolicy: Always) that runs
kanidmd renew-replication-certificate on each pod and patches the result
into the kanidm-repl-certs ConfigMap (certs are public keys, not secrets).
The config-init init container reads peer certs from the ConfigMap at
startup, building the replication stanza automatically — no manual cert
exchange required after first deploy.

Add RBAC (Role + RoleBinding) granting the kanidm service account
pods/exec and configmap patch permissions scoped to the kanidm namespace.
This commit is contained in:
2026-05-24 00:02:40 +10:00
parent e91fe554eb
commit 11286a1f89
4 changed files with 85 additions and 30 deletions
+4 -23
View File
@@ -29,34 +29,15 @@ data:
origin = "__REPL_ORIGIN__"
bindaddress = "[::]:8444"
---
# kanidm-repl-peers is initially empty.
#
# After first deployment, exchange replication certificates:
# kubectl exec -n kanidm kanidm-0 -- kanidmd show-replication-certificate
# kubectl exec -n kanidm kanidm-1 -- kanidmd show-replication-certificate
# kubectl exec -n kanidm kanidm-2 -- kanidmd show-replication-certificate
#
# Then populate peers.toml with all nodes' certs and restart pods.
# Example peers.toml content:
#
# [replication."repl://kanidm-0.kanidm-headless.kanidm.svc.cluster.local:8444"]
# type = "mutual-pull"
# partner_cert = "<base64-cert-from-kanidm-0>"
#
# [replication."repl://kanidm-1.kanidm-headless.kanidm.svc.cluster.local:8444"]
# type = "mutual-pull"
# partner_cert = "<base64-cert-from-kanidm-1>"
#
# [replication."repl://kanidm-2.kanidm-headless.kanidm.svc.cluster.local:8444"]
# type = "mutual-pull"
# partner_cert = "<base64-cert-from-kanidm-2>"
apiVersion: v1
kind: ConfigMap
metadata:
name: kanidm-repl-peers
name: kanidm-repl-certs
namespace: kanidm
labels:
app.kubernetes.io/name: kanidm
app.kubernetes.io/instance: kanidm
data:
peers.toml: ""
kanidm-0: ""
kanidm-1: ""
kanidm-2: ""