201e601737
- split to per-server configs - remove init containers that attempted to automate the replication config - add README.md Reviewed-on: #169
1.1 KiB
1.1 KiB
kanidm
Single-replica kanidm identity server deployment.
Initial setup
After the pod starts for the first time, generate the admin and idm_admin credentials:
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account admin
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account idm_admin
Adding replication
If replication is needed in the future:
- Scale the StatefulSet to 3 replicas and add
podAntiAffinityto spread across nodes. - Add a
[replication]section toconfigmap.yamlper pod (origin is pod-specific:repl://kanidm-N.kanidm-headless.kanidm.svc.cluster.local:8444). - Add the replication port (8444) back to the StatefulSet container ports and headless service.
- Restore
rbac.yamlfor the cert-publisher sidecar, or exchange certificates manually:
# On each pod, get its replication certificate
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd renew-replication-certificate
# Add each peer's certificate to the other pods' configs under:
# [replication."repl://<peer-fqdn>:8444"]
# type = "mutual-pull"
# partner_cert = "<cert>"