From 3dc880107057d747519fac00fda4d57313330d50 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 31 May 2026 00:25:21 +1000 Subject: [PATCH] fix(kanidm): fix automatic_refresh TOML generation in init container (#182) ## Summary - The `\n` escape in a shell variable wasn't interpreted as a newline when passed as a `printf %s` argument - This caused `automatic_refresh = true` to be appended to the `partner_cert` string value on the same line, breaking TOML parsing on kanidm-2 - Fixed by using separate `printf` calls per peer type, with `\n` in the format string (not a variable) where it is correctly interpreted ## Test plan - [ ] kanidm-2 init container generates valid TOML with `automatic_refresh = true` on its own line under the kanidm-0 peer section - [ ] kanidm-1 and kanidm-2 start successfully and auto-refresh domain UUID from kanidm-0 Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/182 --- apps/base/kanidm/statefulset.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/apps/base/kanidm/statefulset.yaml b/apps/base/kanidm/statefulset.yaml index 2c89414..3fe8f2c 100644 --- a/apps/base/kanidm/statefulset.yaml +++ b/apps/base/kanidm/statefulset.yaml @@ -53,10 +53,13 @@ spec: cert_file="/repl-certs/${peer}" [ -s "${cert_file}" ] || continue fqdn="${peer}.kanidm-headless.kanidm.svc.cluster.local" - refresh="" - [ "${peer}" = "kanidm-0" ] && refresh="\nautomatic_refresh = true" - printf '\n[replication."repl://%s:8444"]\ntype = "mutual-pull"\npartner_cert = "%s"%s\n' \ - "${fqdn}" "$(cat ${cert_file})" "${refresh}" >> /config/server.toml + if [ "${peer}" = "kanidm-0" ]; then + printf '\n[replication."repl://%s:8444"]\ntype = "mutual-pull"\npartner_cert = "%s"\nautomatic_refresh = true\n' \ + "${fqdn}" "$(cat ${cert_file})" >> /config/server.toml + else + printf '\n[replication."repl://%s:8444"]\ntype = "mutual-pull"\npartner_cert = "%s"\n' \ + "${fqdn}" "$(cat ${cert_file})" >> /config/server.toml + fi done env: - name: POD_NAME