Files
unkinben d358098fff chore: update replication certs (#170)
- add replication certs for kanidm-0, kanidm-1 and kanidm-2

Reviewed-on: #170
2026-05-25 23:52:06 +10:00
..
2026-05-24 19:55:22 +10:00
2026-05-24 19:55:22 +10:00
2026-05-24 19:55:22 +10:00
2026-05-24 19:55:22 +10:00
2026-05-24 19:55:22 +10:00
2026-05-24 19:55:22 +10:00
2026-05-24 19:55:22 +10:00

kanidm

Single-replica kanidm identity server deployment.

Initial setup

After the pod starts for the first time, generate the admin and idm_admin credentials:

kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account admin
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account idm_admin

Adding replication

If replication is needed in the future:

  1. Scale the StatefulSet to 3 replicas and add podAntiAffinity to spread across nodes.
  2. Add a [replication] section to configmap.yaml per pod (origin is pod-specific: repl://kanidm-N.kanidm-headless.kanidm.svc.cluster.local:8444).
  3. Add the replication port (8444) back to the StatefulSet container ports and headless service.
  4. Restore rbac.yaml for the cert-publisher sidecar, or exchange certificates manually:
# On each pod, get its replication certificate
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd renew-replication-certificate

# Add each peer's certificate to the other pods' configs under:
# [replication."repl://<peer-fqdn>:8444"]
# type = "mutual-pull"
# partner_cert = "<cert>"