Remove the data keys from kanidm-repl-certs in git so ArgoCD never takes
SSA ownership of them. Add ignoreDifferences for /data on that ConfigMap
in the ApplicationSet template so ArgoCD doesn't flag sidecar-patched
cert values as out-of-sync.
Add a native sidecar (bitnami/kubectl, restartPolicy: Always) that runs
kanidmd renew-replication-certificate on each pod and patches the result
into the kanidm-repl-certs ConfigMap (certs are public keys, not secrets).
The config-init init container reads peer certs from the ConfigMap at
startup, building the replication stanza automatically — no manual cert
exchange required after first deploy.
Add RBAC (Role + RoleBinding) granting the kanidm service account
pods/exec and configmap patch permissions scoped to the kanidm namespace.
- Increase replicas from 2 to 3
- Add kanidm-2 headless DNS SAN to TLS certificate
- Add PodDisruptionBudget (maxUnavailable: 1) to maintain quorum during
node drains
- Add requiredDuringSchedulingIgnoredDuringExecution pod anti-affinity
on kubernetes.io/hostname to spread replicas across distinct hosts
- Update replication peers comment to include kanidm-2 cert exchange step
## Summary
- Deploys Kanidm 1.10.3 (ghcr.io/kanidm/server:1.10.3) as a 2-replica
StatefulSet with built-in replication enabled
- Domain: auth.unkin.net (primary WebAuthn origin); au.auth.unkin.net
is an additional hostname for this au-syd1 instance
- TLS: cert-manager Certificate (vault-issuer) covering auth.unkin.net,
au.auth.unkin.net, kanidm.k8s.syd1.au.unkin.net, and internal
headless pod DNS names — Kanidm terminates TLS itself (passthrough)
- Gateway: TLS passthrough on port 443 via TLSRoute; HTTP on port 80
redirects to HTTPS; external-dns creates kanidm.k8s.syd1.au.unkin.net
(not used in server.toml; canonical origin is auth.unkin.net only)
- Replication: init container generates per-pod server.toml with the
correct repl:// origin (kanidm-{N}.kanidm-headless.kanidm.svc);
populate kanidm-repl-peers ConfigMap post-deployment after running
`kanidmd show-replication-certificate` on each pod
- Storage: 10Gi cephrbd-fast-delete PVC per pod via volumeClaimTemplates
- Security: runAsUser/runAsGroup 1000, runAsNonRoot, no privilege
escalation, allowPrivilegeEscalation=false
- ArgoCD: platform ApplicationSet and Project updated for kanidm namespace
## Requires
- PR benvin/kanidm-artifactapi (add ^kanidm/ to ghcr immutable patterns)
to be merged first so artifactapi can cache ghcr.io/kanidm/server
## Post-deployment steps
1. Wait for both pods to reach Running state
2. Exchange replication certificates between pods:
kubectl exec -n kanidm kanidm-0 -- kanidmd show-replication-certificate
kubectl exec -n kanidm kanidm-1 -- kanidmd show-replication-certificate
3. Edit kanidm-repl-peers ConfigMap with both nodes' certs
(see template in configmap.yaml comments)
4. kubectl rollout restart statefulset/kanidm -n kanidm
## Test plan
- [x] Sandbox tested in sandbox-kanidm: all 11 resources server dry-run OK
- [ ] After merge: ArgoCD syncs kanidm namespace
- [ ] Verify auth.unkin.net and au.auth.unkin.net reachable via Gateway
- [ ] Verify kanidm.k8s.syd1.au.unkin.net DNS record created by external-dns
- [ ] Complete replication cert exchange and verify replication active
## Summary
- Adds \`stalwartlabs/webadmin/releases/latest/download/webadmin.zip\` to \`mutable_patterns\` in the \`github\` generic remote so the stalwart webadmin UI can be fetched through artifactapi rather than directly from GitHub.
## Notes
- Uses \`mutable_patterns\` (not \`immutable\`) because \`releases/latest\` resolves to whichever release is current and changes over time.
- Access URL: \`https://artifactapi.k8s.syd1.au.unkin.net/generic/github/stalwartlabs/webadmin/releases/latest/download/webadmin.zip\`
Reviewed-on: #157
The Gateway API admission server defaults certificateRefs[].group to ""
when it is omitted. ArgoCD diffed the desired state (no group field) against
the live state (group: "") and flagged every gateway as out of sync.
Fix: explicitly set group: "" in all certificateRefs entries so the
rendered manifest matches the API server's canonical form exactly.
Affected: artifactapi, cattle-system, consul, litellm, paperclip,
puppet (puppetboard + puppetdb), vault.
Reviewed-on: #153
Vault and consul namespaces were missing from the platform AppProject
allowed destinations, causing ArgoCD sync failures with:
destination server 'https://kubernetes.default.svc' and namespace
'vault' do not match any of the allowed destinations in project 'platform'
Reviewed-on: #152
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.