# kanidm Single-replica kanidm identity server deployment. ## Initial setup After the pod starts for the first time, generate the admin and idm_admin credentials: ```bash kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account admin kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account idm_admin ``` ## Adding replication If replication is needed in the future: 1. Scale the StatefulSet to 3 replicas and add `podAntiAffinity` to spread across nodes. 2. Add a `[replication]` section to `configmap.yaml` per pod (origin is pod-specific: `repl://kanidm-N.kanidm-headless.kanidm.svc.cluster.local:8444`). 3. Add the replication port (8444) back to the StatefulSet container ports and headless service. 4. Restore `rbac.yaml` for the cert-publisher sidecar, or exchange certificates manually: ```bash # On each pod, get its replication certificate kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd renew-replication-certificate # Add each peer's certificate to the other pods' configs under: # [replication."repl://:8444"] # type = "mutual-pull" # partner_cert = "" ```