- Increase replicas from 2 to 3
- Add kanidm-2 headless DNS SAN to TLS certificate
- Add PodDisruptionBudget (maxUnavailable: 1) to maintain quorum during
node drains
- Add requiredDuringSchedulingIgnoredDuringExecution pod anti-affinity
on kubernetes.io/hostname to spread replicas across distinct hosts
- Update replication peers comment to include kanidm-2 cert exchange step