feat(kanidm): 3 replicas, PDB maxUnavailable=1, host anti-affinity

- Increase replicas from 2 to 3
- Add kanidm-2 headless DNS SAN to TLS certificate
- Add PodDisruptionBudget (maxUnavailable: 1) to maintain quorum during
  node drains
- Add requiredDuringSchedulingIgnoredDuringExecution pod anti-affinity
  on kubernetes.io/hostname to spread replicas across distinct hosts
- Update replication peers comment to include kanidm-2 cert exchange step
This commit is contained in:
2026-05-23 23:49:30 +10:00
parent ee76ec199b
commit e91fe554eb
5 changed files with 32 additions and 2 deletions
+9 -1
View File
@@ -9,7 +9,7 @@ metadata:
app.kubernetes.io/instance: kanidm
spec:
serviceName: kanidm-headless
replicas: 2
replicas: 3
selector:
matchLabels:
app.kubernetes.io/name: kanidm
@@ -21,6 +21,14 @@ spec:
app.kubernetes.io/instance: kanidm
spec:
serviceAccountName: kanidm
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: kanidm
app.kubernetes.io/instance: kanidm
topologyKey: kubernetes.io/hostname
securityContext:
runAsUser: 1000
runAsGroup: 1000