feat(kanidm): 3 replicas, PDB maxUnavailable=1, host anti-affinity

- Increase replicas from 2 to 3
- Add kanidm-2 headless DNS SAN to TLS certificate
- Add PodDisruptionBudget (maxUnavailable: 1) to maintain quorum during
  node drains
- Add requiredDuringSchedulingIgnoredDuringExecution pod anti-affinity
  on kubernetes.io/hostname to spread replicas across distinct hosts
- Update replication peers comment to include kanidm-2 cert exchange step
This commit is contained in:
2026-05-23 23:49:30 +10:00
parent ee76ec199b
commit e91fe554eb
5 changed files with 32 additions and 2 deletions
+6 -1
View File
@@ -34,8 +34,9 @@ data:
# After first deployment, exchange replication certificates:
# kubectl exec -n kanidm kanidm-0 -- kanidmd show-replication-certificate
# kubectl exec -n kanidm kanidm-1 -- kanidmd show-replication-certificate
# kubectl exec -n kanidm kanidm-2 -- kanidmd show-replication-certificate
#
# Then populate peers.toml with both nodes' certs and restart pods.
# Then populate peers.toml with all nodes' certs and restart pods.
# Example peers.toml content:
#
# [replication."repl://kanidm-0.kanidm-headless.kanidm.svc.cluster.local:8444"]
@@ -45,6 +46,10 @@ data:
# [replication."repl://kanidm-1.kanidm-headless.kanidm.svc.cluster.local:8444"]
# type = "mutual-pull"
# partner_cert = "<base64-cert-from-kanidm-1>"
#
# [replication."repl://kanidm-2.kanidm-headless.kanidm.svc.cluster.local:8444"]
# type = "mutual-pull"
# partner_cert = "<base64-cert-from-kanidm-2>"
apiVersion: v1
kind: ConfigMap
metadata: