feat(kanidm): automate replication cert exchange via native sidecar
Add a native sidecar (bitnami/kubectl, restartPolicy: Always) that runs kanidmd renew-replication-certificate on each pod and patches the result into the kanidm-repl-certs ConfigMap (certs are public keys, not secrets). The config-init init container reads peer certs from the ConfigMap at startup, building the replication stanza automatically — no manual cert exchange required after first deploy. Add RBAC (Role + RoleBinding) granting the kanidm service account pods/exec and configmap patch permissions scoped to the kanidm namespace.
This commit is contained in:
@@ -5,6 +5,7 @@ kind: Kustomization
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- serviceaccount.yaml
|
||||
- rbac.yaml
|
||||
- certificate.yaml
|
||||
- configmap.yaml
|
||||
- service.yaml
|
||||
|
||||
Reference in New Issue
Block a user