feat(kanidm): vault-managed replication certs with auto-restart (#176)

- Store per-pod replication certs in Vault (kv/kubernetes/namespace/kanidm/default/repl-certs)
- VaultAuth + VaultStaticSecret sync certs to kanidm-repl-certs Secret
- busybox config-init init container injects peer certs from Secret into server.toml at startup
- Remove hardcoded partner_cert entries from per-pod server.toml templates
- Add automatic_refresh = true to all replication configs
- Add reloader.stakater.com/auto annotation to trigger rolling restart on ConfigMap/Secret changes
- Document domain UUID mismatch resolution and cert rotation in README

Reviewed-on: #176
This commit was merged in pull request #176.
This commit is contained in:
2026-05-30 23:00:46 +10:00
parent 1b781e0885
commit 4d594fbde7
8 changed files with 102 additions and 43 deletions
+21
View File
@@ -0,0 +1,21 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: kanidm
labels:
app.kubernetes.io/name: kanidm
app.kubernetes.io/instance: kanidm
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- kanidm
kubernetes:
role: default
serviceAccount: kanidm
audiences:
- vault
tokenExpirationSeconds: 600