diff --git a/apps/base/kanidm/certificate.yaml b/apps/base/kanidm/certificate.yaml index 686e300..01a3000 100644 --- a/apps/base/kanidm/certificate.yaml +++ b/apps/base/kanidm/certificate.yaml @@ -20,6 +20,7 @@ spec: - kanidm.kanidm.svc.cluster.local - kanidm-0.kanidm-headless.kanidm.svc.cluster.local - kanidm-1.kanidm-headless.kanidm.svc.cluster.local + - kanidm-2.kanidm-headless.kanidm.svc.cluster.local privateKey: algorithm: RSA size: 4096 diff --git a/apps/base/kanidm/configmap.yaml b/apps/base/kanidm/configmap.yaml index b00aea9..0cf9194 100644 --- a/apps/base/kanidm/configmap.yaml +++ b/apps/base/kanidm/configmap.yaml @@ -34,8 +34,9 @@ data: # After first deployment, exchange replication certificates: # kubectl exec -n kanidm kanidm-0 -- kanidmd show-replication-certificate # kubectl exec -n kanidm kanidm-1 -- kanidmd show-replication-certificate +# kubectl exec -n kanidm kanidm-2 -- kanidmd show-replication-certificate # -# Then populate peers.toml with both nodes' certs and restart pods. +# Then populate peers.toml with all nodes' certs and restart pods. # Example peers.toml content: # # [replication."repl://kanidm-0.kanidm-headless.kanidm.svc.cluster.local:8444"] @@ -45,6 +46,10 @@ data: # [replication."repl://kanidm-1.kanidm-headless.kanidm.svc.cluster.local:8444"] # type = "mutual-pull" # partner_cert = "" +# +# [replication."repl://kanidm-2.kanidm-headless.kanidm.svc.cluster.local:8444"] +# type = "mutual-pull" +# partner_cert = "" apiVersion: v1 kind: ConfigMap metadata: diff --git a/apps/base/kanidm/kustomization.yaml b/apps/base/kanidm/kustomization.yaml index 52499e1..750eb3c 100644 --- a/apps/base/kanidm/kustomization.yaml +++ b/apps/base/kanidm/kustomization.yaml @@ -9,6 +9,7 @@ resources: - configmap.yaml - service.yaml - statefulset.yaml + - poddisruptionbudget.yaml - gateway.yaml - httproute.yaml - tlsroute.yaml diff --git a/apps/base/kanidm/poddisruptionbudget.yaml b/apps/base/kanidm/poddisruptionbudget.yaml new file mode 100644 index 0000000..9db7ad1 --- /dev/null +++ b/apps/base/kanidm/poddisruptionbudget.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: kanidm + namespace: kanidm + labels: + app.kubernetes.io/name: kanidm + app.kubernetes.io/instance: kanidm +spec: + maxUnavailable: 1 + selector: + matchLabels: + app.kubernetes.io/name: kanidm + app.kubernetes.io/instance: kanidm diff --git a/apps/base/kanidm/statefulset.yaml b/apps/base/kanidm/statefulset.yaml index cc9bbc3..39d8ada 100644 --- a/apps/base/kanidm/statefulset.yaml +++ b/apps/base/kanidm/statefulset.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/instance: kanidm spec: serviceName: kanidm-headless - replicas: 2 + replicas: 3 selector: matchLabels: app.kubernetes.io/name: kanidm @@ -21,6 +21,14 @@ spec: app.kubernetes.io/instance: kanidm spec: serviceAccountName: kanidm + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: kanidm + app.kubernetes.io/instance: kanidm + topologyKey: kubernetes.io/hostname securityContext: runAsUser: 1000 runAsGroup: 1000