feat(kanidm): 3 replicas, PDB maxUnavailable=1, host anti-affinity
- Increase replicas from 2 to 3 - Add kanidm-2 headless DNS SAN to TLS certificate - Add PodDisruptionBudget (maxUnavailable: 1) to maintain quorum during node drains - Add requiredDuringSchedulingIgnoredDuringExecution pod anti-affinity on kubernetes.io/hostname to spread replicas across distinct hosts - Update replication peers comment to include kanidm-2 cert exchange step
This commit is contained in:
@@ -34,8 +34,9 @@ data:
|
||||
# After first deployment, exchange replication certificates:
|
||||
# kubectl exec -n kanidm kanidm-0 -- kanidmd show-replication-certificate
|
||||
# kubectl exec -n kanidm kanidm-1 -- kanidmd show-replication-certificate
|
||||
# kubectl exec -n kanidm kanidm-2 -- kanidmd show-replication-certificate
|
||||
#
|
||||
# Then populate peers.toml with both nodes' certs and restart pods.
|
||||
# Then populate peers.toml with all nodes' certs and restart pods.
|
||||
# Example peers.toml content:
|
||||
#
|
||||
# [replication."repl://kanidm-0.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
||||
@@ -45,6 +46,10 @@ data:
|
||||
# [replication."repl://kanidm-1.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
||||
# type = "mutual-pull"
|
||||
# partner_cert = "<base64-cert-from-kanidm-1>"
|
||||
#
|
||||
# [replication."repl://kanidm-2.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
||||
# type = "mutual-pull"
|
||||
# partner_cert = "<base64-cert-from-kanidm-2>"
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
|
||||
Reference in New Issue
Block a user