11286a1f89
Add a native sidecar (bitnami/kubectl, restartPolicy: Always) that runs kanidmd renew-replication-certificate on each pod and patches the result into the kanidm-repl-certs ConfigMap (certs are public keys, not secrets). The config-init init container reads peer certs from the ConfigMap at startup, building the replication stanza automatically — no manual cert exchange required after first deploy. Add RBAC (Role + RoleBinding) granting the kanidm service account pods/exec and configmap patch permissions scoped to the kanidm namespace.
17 lines
298 B
YAML
17 lines
298 B
YAML
---
|
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
|
|
resources:
|
|
- namespace.yaml
|
|
- serviceaccount.yaml
|
|
- rbac.yaml
|
|
- certificate.yaml
|
|
- configmap.yaml
|
|
- service.yaml
|
|
- statefulset.yaml
|
|
- poddisruptionbudget.yaml
|
|
- gateway.yaml
|
|
- httproute.yaml
|
|
- tlsroute.yaml
|