feat(kanidm): automate replication cert exchange via native sidecar

Add a native sidecar (bitnami/kubectl, restartPolicy: Always) that runs
kanidmd renew-replication-certificate on each pod and patches the result
into the kanidm-repl-certs ConfigMap (certs are public keys, not secrets).
The config-init init container reads peer certs from the ConfigMap at
startup, building the replication stanza automatically — no manual cert
exchange required after first deploy.

Add RBAC (Role + RoleBinding) granting the kanidm service account
pods/exec and configmap patch permissions scoped to the kanidm namespace.
This commit is contained in:
2026-05-24 00:02:40 +10:00
parent e91fe554eb
commit 11286a1f89
4 changed files with 85 additions and 30 deletions
+1
View File
@@ -5,6 +5,7 @@ kind: Kustomization
resources:
- namespace.yaml
- serviceaccount.yaml
- rbac.yaml
- certificate.yaml
- configmap.yaml
- service.yaml