feat(kanidm): vault-managed replication certs with auto-restart (#176)
- Store per-pod replication certs in Vault (kv/kubernetes/namespace/kanidm/default/repl-certs) - VaultAuth + VaultStaticSecret sync certs to kanidm-repl-certs Secret - busybox config-init init container injects peer certs from Secret into server.toml at startup - Remove hardcoded partner_cert entries from per-pod server.toml templates - Add automatic_refresh = true to all replication configs - Add reloader.stakater.com/auto annotation to trigger rolling restart on ConfigMap/Secret changes - Document domain UUID mismatch resolution and cert rotation in README Reviewed-on: #176
This commit was merged in pull request #176.
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
---
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: default
|
||||
namespace: kanidm
|
||||
labels:
|
||||
app.kubernetes.io/name: kanidm
|
||||
app.kubernetes.io/instance: kanidm
|
||||
spec:
|
||||
method: kubernetes
|
||||
mount: k8s/au/syd1
|
||||
vaultConnectionRef: vso-system/default
|
||||
allowedNamespaces:
|
||||
- kanidm
|
||||
kubernetes:
|
||||
role: default
|
||||
serviceAccount: kanidm
|
||||
audiences:
|
||||
- vault
|
||||
tokenExpirationSeconds: 600
|
||||
Reference in New Issue
Block a user