feat(kanidm): vault-managed replication certs with auto-restart (#176)
- Store per-pod replication certs in Vault (kv/kubernetes/namespace/kanidm/default/repl-certs) - VaultAuth + VaultStaticSecret sync certs to kanidm-repl-certs Secret - busybox config-init init container injects peer certs from Secret into server.toml at startup - Remove hardcoded partner_cert entries from per-pod server.toml templates - Add automatic_refresh = true to all replication configs - Add reloader.stakater.com/auto annotation to trigger rolling restart on ConfigMap/Secret changes - Document domain UUID mismatch resolution and cert rotation in README Reviewed-on: #176
This commit was merged in pull request #176.
This commit is contained in:
@@ -4,6 +4,8 @@ kind: StatefulSet
|
||||
metadata:
|
||||
name: kanidm
|
||||
namespace: kanidm
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
labels:
|
||||
app.kubernetes.io/name: kanidm
|
||||
app.kubernetes.io/instance: kanidm
|
||||
@@ -39,7 +41,17 @@ spec:
|
||||
image: busybox:1.36
|
||||
command: ["/bin/sh", "-c"]
|
||||
args:
|
||||
- cp "/config-template/server-${POD_NAME##*-}.toml" /config/server.toml
|
||||
- |
|
||||
set -e
|
||||
cp "/config-template/server-${POD_NAME##*-}.toml" /config/server.toml
|
||||
for peer in kanidm-0 kanidm-1 kanidm-2; do
|
||||
[ "${peer}" = "${POD_NAME}" ] && continue
|
||||
cert_file="/repl-certs/${peer}"
|
||||
[ -s "${cert_file}" ] || continue
|
||||
fqdn="${peer}.kanidm-headless.kanidm.svc.cluster.local"
|
||||
printf '\n[replication."repl://%s:8444"]\ntype = "mutual-pull"\npartner_cert = "%s"\n' \
|
||||
"${fqdn}" "$(cat ${cert_file})" >> /config/server.toml
|
||||
done
|
||||
env:
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
@@ -51,6 +63,9 @@ spec:
|
||||
readOnly: true
|
||||
- name: config
|
||||
mountPath: /config
|
||||
- name: repl-certs
|
||||
mountPath: /repl-certs
|
||||
readOnly: true
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
@@ -101,6 +116,9 @@ spec:
|
||||
name: kanidm-config
|
||||
- name: config
|
||||
emptyDir: {}
|
||||
- name: repl-certs
|
||||
secret:
|
||||
secretName: kanidm-repl-certs
|
||||
- name: tls
|
||||
secret:
|
||||
secretName: kanidm-tls
|
||||
|
||||
Reference in New Issue
Block a user