feat(kanidm): 3 replicas, PDB maxUnavailable=1, host anti-affinity
- Increase replicas from 2 to 3 - Add kanidm-2 headless DNS SAN to TLS certificate - Add PodDisruptionBudget (maxUnavailable: 1) to maintain quorum during node drains - Add requiredDuringSchedulingIgnoredDuringExecution pod anti-affinity on kubernetes.io/hostname to spread replicas across distinct hosts - Update replication peers comment to include kanidm-2 cert exchange step
This commit is contained in:
@@ -20,6 +20,7 @@ spec:
|
|||||||
- kanidm.kanidm.svc.cluster.local
|
- kanidm.kanidm.svc.cluster.local
|
||||||
- kanidm-0.kanidm-headless.kanidm.svc.cluster.local
|
- kanidm-0.kanidm-headless.kanidm.svc.cluster.local
|
||||||
- kanidm-1.kanidm-headless.kanidm.svc.cluster.local
|
- kanidm-1.kanidm-headless.kanidm.svc.cluster.local
|
||||||
|
- kanidm-2.kanidm-headless.kanidm.svc.cluster.local
|
||||||
privateKey:
|
privateKey:
|
||||||
algorithm: RSA
|
algorithm: RSA
|
||||||
size: 4096
|
size: 4096
|
||||||
|
|||||||
@@ -34,8 +34,9 @@ data:
|
|||||||
# After first deployment, exchange replication certificates:
|
# After first deployment, exchange replication certificates:
|
||||||
# kubectl exec -n kanidm kanidm-0 -- kanidmd show-replication-certificate
|
# kubectl exec -n kanidm kanidm-0 -- kanidmd show-replication-certificate
|
||||||
# kubectl exec -n kanidm kanidm-1 -- kanidmd show-replication-certificate
|
# kubectl exec -n kanidm kanidm-1 -- kanidmd show-replication-certificate
|
||||||
|
# kubectl exec -n kanidm kanidm-2 -- kanidmd show-replication-certificate
|
||||||
#
|
#
|
||||||
# Then populate peers.toml with both nodes' certs and restart pods.
|
# Then populate peers.toml with all nodes' certs and restart pods.
|
||||||
# Example peers.toml content:
|
# Example peers.toml content:
|
||||||
#
|
#
|
||||||
# [replication."repl://kanidm-0.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
# [replication."repl://kanidm-0.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
||||||
@@ -45,6 +46,10 @@ data:
|
|||||||
# [replication."repl://kanidm-1.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
# [replication."repl://kanidm-1.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
||||||
# type = "mutual-pull"
|
# type = "mutual-pull"
|
||||||
# partner_cert = "<base64-cert-from-kanidm-1>"
|
# partner_cert = "<base64-cert-from-kanidm-1>"
|
||||||
|
#
|
||||||
|
# [replication."repl://kanidm-2.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
||||||
|
# type = "mutual-pull"
|
||||||
|
# partner_cert = "<base64-cert-from-kanidm-2>"
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
|
|||||||
@@ -9,6 +9,7 @@ resources:
|
|||||||
- configmap.yaml
|
- configmap.yaml
|
||||||
- service.yaml
|
- service.yaml
|
||||||
- statefulset.yaml
|
- statefulset.yaml
|
||||||
|
- poddisruptionbudget.yaml
|
||||||
- gateway.yaml
|
- gateway.yaml
|
||||||
- httproute.yaml
|
- httproute.yaml
|
||||||
- tlsroute.yaml
|
- tlsroute.yaml
|
||||||
|
|||||||
@@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
apiVersion: policy/v1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: kanidm
|
||||||
|
namespace: kanidm
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: kanidm
|
||||||
|
app.kubernetes.io/instance: kanidm
|
||||||
|
spec:
|
||||||
|
maxUnavailable: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: kanidm
|
||||||
|
app.kubernetes.io/instance: kanidm
|
||||||
@@ -9,7 +9,7 @@ metadata:
|
|||||||
app.kubernetes.io/instance: kanidm
|
app.kubernetes.io/instance: kanidm
|
||||||
spec:
|
spec:
|
||||||
serviceName: kanidm-headless
|
serviceName: kanidm-headless
|
||||||
replicas: 2
|
replicas: 3
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app.kubernetes.io/name: kanidm
|
app.kubernetes.io/name: kanidm
|
||||||
@@ -21,6 +21,14 @@ spec:
|
|||||||
app.kubernetes.io/instance: kanidm
|
app.kubernetes.io/instance: kanidm
|
||||||
spec:
|
spec:
|
||||||
serviceAccountName: kanidm
|
serviceAccountName: kanidm
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: kanidm
|
||||||
|
app.kubernetes.io/instance: kanidm
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
securityContext:
|
securityContext:
|
||||||
runAsUser: 1000
|
runAsUser: 1000
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
|
|||||||
Reference in New Issue
Block a user