934e332309
- split to per-server configs - remove init containers that attempted to automate the replication config - add README.md
33 lines
1.1 KiB
Markdown
33 lines
1.1 KiB
Markdown
# kanidm
|
|
|
|
Single-replica kanidm identity server deployment.
|
|
|
|
## Initial setup
|
|
|
|
After the pod starts for the first time, generate the admin and idm_admin credentials:
|
|
|
|
```bash
|
|
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account admin
|
|
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd recover-account idm_admin
|
|
```
|
|
|
|
## Adding replication
|
|
|
|
If replication is needed in the future:
|
|
|
|
1. Scale the StatefulSet to 3 replicas and add `podAntiAffinity` to spread across nodes.
|
|
2. Add a `[replication]` section to `configmap.yaml` per pod (origin is pod-specific:
|
|
`repl://kanidm-N.kanidm-headless.kanidm.svc.cluster.local:8444`).
|
|
3. Add the replication port (8444) back to the StatefulSet container ports and headless service.
|
|
4. Restore `rbac.yaml` for the cert-publisher sidecar, or exchange certificates manually:
|
|
|
|
```bash
|
|
# On each pod, get its replication certificate
|
|
kubectl exec -n kanidm kanidm-0 -- /sbin/kanidmd renew-replication-certificate
|
|
|
|
# Add each peer's certificate to the other pods' configs under:
|
|
# [replication."repl://<peer-fqdn>:8444"]
|
|
# type = "mutual-pull"
|
|
# partner_cert = "<cert>"
|
|
```
|