From 60f1f3130bc18bfddeaed7a1875ef7d8520a7faf Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 31 May 2026 00:20:30 +1000 Subject: [PATCH] fix(kanidm): replicate 1/2 from 0 only with automatic_refresh (#181) kanidm-0 is the authoritative supplier; kanidm-1 and kanidm-2 pull from kanidm-0 only. automatic_refresh = true on the kanidm-0 peer entry for kanidm-1/2 so fresh nodes auto-sync domain UUID on restart. Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/181 --- apps/base/kanidm/statefulset.yaml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/apps/base/kanidm/statefulset.yaml b/apps/base/kanidm/statefulset.yaml index 2eaa778..2c89414 100644 --- a/apps/base/kanidm/statefulset.yaml +++ b/apps/base/kanidm/statefulset.yaml @@ -44,13 +44,19 @@ spec: - | set -e cp "/config-template/server-${POD_NAME##*-}.toml" /config/server.toml - for peer in kanidm-0 kanidm-1 kanidm-2; do - [ "${peer}" = "${POD_NAME}" ] && continue + if [ "${POD_NAME}" = "kanidm-0" ]; then + peers="kanidm-1 kanidm-2" + else + peers="kanidm-0" + fi + for peer in ${peers}; do cert_file="/repl-certs/${peer}" [ -s "${cert_file}" ] || continue fqdn="${peer}.kanidm-headless.kanidm.svc.cluster.local" - printf '\n[replication."repl://%s:8444"]\ntype = "mutual-pull"\npartner_cert = "%s"\n' \ - "${fqdn}" "$(cat ${cert_file})" >> /config/server.toml + refresh="" + [ "${peer}" = "kanidm-0" ] && refresh="\nautomatic_refresh = true" + printf '\n[replication."repl://%s:8444"]\ntype = "mutual-pull"\npartner_cert = "%s"%s\n' \ + "${fqdn}" "$(cat ${cert_file})" "${refresh}" >> /config/server.toml done env: - name: POD_NAME