4d594fbde7
- Store per-pod replication certs in Vault (kv/kubernetes/namespace/kanidm/default/repl-certs) - VaultAuth + VaultStaticSecret sync certs to kanidm-repl-certs Secret - busybox config-init init container injects peer certs from Secret into server.toml at startup - Remove hardcoded partner_cert entries from per-pod server.toml templates - Add automatic_refresh = true to all replication configs - Add reloader.stakater.com/auto annotation to trigger rolling restart on ConfigMap/Secret changes - Document domain UUID mismatch resolution and cert rotation in README Reviewed-on: #176
30 lines
670 B
YAML
30 lines
670 B
YAML
---
|
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
|
|
resources:
|
|
- namespace.yaml
|
|
- serviceaccount.yaml
|
|
- vaultauth.yaml
|
|
- vaultstaticsecret.yaml
|
|
- certificate.yaml
|
|
- service.yaml
|
|
- statefulset.yaml
|
|
- poddisruptionbudget.yaml
|
|
- gateway.yaml
|
|
- httproute.yaml
|
|
- tlsroute.yaml
|
|
|
|
configMapGenerator:
|
|
- name: kanidm-config
|
|
namespace: kanidm
|
|
options:
|
|
disableNameSuffixHash: true
|
|
labels:
|
|
app.kubernetes.io/name: kanidm
|
|
app.kubernetes.io/instance: kanidm
|
|
files:
|
|
- server-0.toml=resources/server-0.toml
|
|
- server-1.toml=resources/server-1.toml
|
|
- server-2.toml=resources/server-2.toml
|