feat(kanidm): 3 replicas, PDB maxUnavailable=1, host anti-affinity
- Increase replicas from 2 to 3 - Add kanidm-2 headless DNS SAN to TLS certificate - Add PodDisruptionBudget (maxUnavailable: 1) to maintain quorum during node drains - Add requiredDuringSchedulingIgnoredDuringExecution pod anti-affinity on kubernetes.io/hostname to spread replicas across distinct hosts - Update replication peers comment to include kanidm-2 cert exchange step
This commit is contained in:
@@ -20,6 +20,7 @@ spec:
|
||||
- kanidm.kanidm.svc.cluster.local
|
||||
- kanidm-0.kanidm-headless.kanidm.svc.cluster.local
|
||||
- kanidm-1.kanidm-headless.kanidm.svc.cluster.local
|
||||
- kanidm-2.kanidm-headless.kanidm.svc.cluster.local
|
||||
privateKey:
|
||||
algorithm: RSA
|
||||
size: 4096
|
||||
|
||||
@@ -34,8 +34,9 @@ data:
|
||||
# After first deployment, exchange replication certificates:
|
||||
# kubectl exec -n kanidm kanidm-0 -- kanidmd show-replication-certificate
|
||||
# kubectl exec -n kanidm kanidm-1 -- kanidmd show-replication-certificate
|
||||
# kubectl exec -n kanidm kanidm-2 -- kanidmd show-replication-certificate
|
||||
#
|
||||
# Then populate peers.toml with both nodes' certs and restart pods.
|
||||
# Then populate peers.toml with all nodes' certs and restart pods.
|
||||
# Example peers.toml content:
|
||||
#
|
||||
# [replication."repl://kanidm-0.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
||||
@@ -45,6 +46,10 @@ data:
|
||||
# [replication."repl://kanidm-1.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
||||
# type = "mutual-pull"
|
||||
# partner_cert = "<base64-cert-from-kanidm-1>"
|
||||
#
|
||||
# [replication."repl://kanidm-2.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
||||
# type = "mutual-pull"
|
||||
# partner_cert = "<base64-cert-from-kanidm-2>"
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
|
||||
@@ -9,6 +9,7 @@ resources:
|
||||
- configmap.yaml
|
||||
- service.yaml
|
||||
- statefulset.yaml
|
||||
- poddisruptionbudget.yaml
|
||||
- gateway.yaml
|
||||
- httproute.yaml
|
||||
- tlsroute.yaml
|
||||
|
||||
@@ -0,0 +1,15 @@
|
||||
---
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: kanidm
|
||||
namespace: kanidm
|
||||
labels:
|
||||
app.kubernetes.io/name: kanidm
|
||||
app.kubernetes.io/instance: kanidm
|
||||
spec:
|
||||
maxUnavailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: kanidm
|
||||
app.kubernetes.io/instance: kanidm
|
||||
@@ -9,7 +9,7 @@ metadata:
|
||||
app.kubernetes.io/instance: kanidm
|
||||
spec:
|
||||
serviceName: kanidm-headless
|
||||
replicas: 2
|
||||
replicas: 3
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: kanidm
|
||||
@@ -21,6 +21,14 @@ spec:
|
||||
app.kubernetes.io/instance: kanidm
|
||||
spec:
|
||||
serviceAccountName: kanidm
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
- labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: kanidm
|
||||
app.kubernetes.io/instance: kanidm
|
||||
topologyKey: kubernetes.io/hostname
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
|
||||
Reference in New Issue
Block a user