benvin/kanidm #159

Merged
unkinben merged 4 commits from benvin/kanidm into main 2026-05-24 19:55:23 +10:00
Owner
No description provided.
unkinben added 4 commits 2026-05-24 19:49:14 +10:00
## Summary

- Deploys Kanidm 1.10.3 (ghcr.io/kanidm/server:1.10.3) as a 2-replica
  StatefulSet with built-in replication enabled
- Domain: auth.unkin.net (primary WebAuthn origin); au.auth.unkin.net
  is an additional hostname for this au-syd1 instance
- TLS: cert-manager Certificate (vault-issuer) covering auth.unkin.net,
  au.auth.unkin.net, kanidm.k8s.syd1.au.unkin.net, and internal
  headless pod DNS names — Kanidm terminates TLS itself (passthrough)
- Gateway: TLS passthrough on port 443 via TLSRoute; HTTP on port 80
  redirects to HTTPS; external-dns creates kanidm.k8s.syd1.au.unkin.net
  (not used in server.toml; canonical origin is auth.unkin.net only)
- Replication: init container generates per-pod server.toml with the
  correct repl:// origin (kanidm-{N}.kanidm-headless.kanidm.svc);
  populate kanidm-repl-peers ConfigMap post-deployment after running
  `kanidmd show-replication-certificate` on each pod
- Storage: 10Gi cephrbd-fast-delete PVC per pod via volumeClaimTemplates
- Security: runAsUser/runAsGroup 1000, runAsNonRoot, no privilege
  escalation, allowPrivilegeEscalation=false
- ArgoCD: platform ApplicationSet and Project updated for kanidm namespace

## Requires

- PR benvin/kanidm-artifactapi (add ^kanidm/ to ghcr immutable patterns)
  to be merged first so artifactapi can cache ghcr.io/kanidm/server

## Post-deployment steps

1. Wait for both pods to reach Running state
2. Exchange replication certificates between pods:
   kubectl exec -n kanidm kanidm-0 -- kanidmd show-replication-certificate
   kubectl exec -n kanidm kanidm-1 -- kanidmd show-replication-certificate
3. Edit kanidm-repl-peers ConfigMap with both nodes' certs
   (see template in configmap.yaml comments)
4. kubectl rollout restart statefulset/kanidm -n kanidm

## Test plan

- [x] Sandbox tested in sandbox-kanidm: all 11 resources server dry-run OK
- [ ] After merge: ArgoCD syncs kanidm namespace
- [ ] Verify auth.unkin.net and au.auth.unkin.net reachable via Gateway
- [ ] Verify kanidm.k8s.syd1.au.unkin.net DNS record created by external-dns
- [ ] Complete replication cert exchange and verify replication active
- Increase replicas from 2 to 3
- Add kanidm-2 headless DNS SAN to TLS certificate
- Add PodDisruptionBudget (maxUnavailable: 1) to maintain quorum during
  node drains
- Add requiredDuringSchedulingIgnoredDuringExecution pod anti-affinity
  on kubernetes.io/hostname to spread replicas across distinct hosts
- Update replication peers comment to include kanidm-2 cert exchange step
Add a native sidecar (bitnami/kubectl, restartPolicy: Always) that runs
kanidmd renew-replication-certificate on each pod and patches the result
into the kanidm-repl-certs ConfigMap (certs are public keys, not secrets).
The config-init init container reads peer certs from the ConfigMap at
startup, building the replication stanza automatically — no manual cert
exchange required after first deploy.

Add RBAC (Role + RoleBinding) granting the kanidm service account
pods/exec and configmap patch permissions scoped to the kanidm namespace.
fix(kanidm): prevent ArgoCD from overwriting repl-cert ConfigMap data
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
7d2e0dfa0f
Remove the data keys from kanidm-repl-certs in git so ArgoCD never takes
SSA ownership of them. Add ignoreDifferences for /data on that ConfigMap
in the ApplicationSet template so ArgoCD doesn't flag sidecar-patched
cert values as out-of-sync.
unkinben merged commit 3756208ccd into main 2026-05-24 19:55:23 +10:00
unkinben deleted branch benvin/kanidm 2026-05-24 19:55:23 +10:00
unkinben referenced this issue from a commit 2026-05-24 19:55:25 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#159