feat: update kanidm replicaiton
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful

- split to per-server configs
- remove init containers that attempted to automate the replication config
- add README.md
This commit is contained in:
2026-05-25 23:22:06 +10:00
parent 6497dab25e
commit 934e332309
7 changed files with 105 additions and 91 deletions
+32
View File
@@ -0,0 +1,32 @@
# kanidm
Single-replica kanidm identity server deployment.
## Initial setup
After the pod starts for the first time, generate the admin and idm_admin credentials:
```bash
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account admin
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account idm_admin
```
## Adding replication
If replication is needed in the future:
1. Scale the StatefulSet to 3 replicas and add `podAntiAffinity` to spread across nodes.
2. Add a `[replication]` section to `configmap.yaml` per pod (origin is pod-specific:
`repl://kanidm-N.kanidm-headless.kanidm.svc.cluster.local:8444`).
3. Add the replication port (8444) back to the StatefulSet container ports and headless service.
4. Restore `rbac.yaml` for the cert-publisher sidecar, or exchange certificates manually:
```bash
# On each pod, get its replication certificate
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd renew-replication-certificate
# Add each peer's certificate to the other pods' configs under:
# [replication."repl://<peer-fqdn>:8444"]
# type = "mutual-pull"
# partner_cert = "<cert>"
```