4d594fbde7
- Store per-pod replication certs in Vault (kv/kubernetes/namespace/kanidm/default/repl-certs) - VaultAuth + VaultStaticSecret sync certs to kanidm-repl-certs Secret - busybox config-init init container injects peer certs from Secret into server.toml at startup - Remove hardcoded partner_cert entries from per-pod server.toml templates - Add automatic_refresh = true to all replication configs - Add reloader.stakater.com/auto annotation to trigger rolling restart on ConfigMap/Secret changes - Document domain UUID mismatch resolution and cert rotation in README Reviewed-on: #176
22 lines
435 B
YAML
22 lines
435 B
YAML
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultAuth
|
|
metadata:
|
|
name: default
|
|
namespace: kanidm
|
|
labels:
|
|
app.kubernetes.io/name: kanidm
|
|
app.kubernetes.io/instance: kanidm
|
|
spec:
|
|
method: kubernetes
|
|
mount: k8s/au/syd1
|
|
vaultConnectionRef: vso-system/default
|
|
allowedNamespaces:
|
|
- kanidm
|
|
kubernetes:
|
|
role: default
|
|
serviceAccount: kanidm
|
|
audiences:
|
|
- vault
|
|
tokenExpirationSeconds: 600
|