e91fe554eb
- Increase replicas from 2 to 3 - Add kanidm-2 headless DNS SAN to TLS certificate - Add PodDisruptionBudget (maxUnavailable: 1) to maintain quorum during node drains - Add requiredDuringSchedulingIgnoredDuringExecution pod anti-affinity on kubernetes.io/hostname to spread replicas across distinct hosts - Update replication peers comment to include kanidm-2 cert exchange step
63 lines
1.7 KiB
YAML
63 lines
1.7 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: kanidm-config
|
|
namespace: kanidm
|
|
labels:
|
|
app.kubernetes.io/name: kanidm
|
|
app.kubernetes.io/instance: kanidm
|
|
data:
|
|
server.toml: |
|
|
version = "2"
|
|
|
|
domain = "auth.unkin.net"
|
|
origin = "https://auth.unkin.net"
|
|
bindaddress = "[::]:8443"
|
|
db_path = "/data/kanidm.db"
|
|
db_arc_size = 2048
|
|
tls_chain = "/data/tls/tls.crt"
|
|
tls_key = "/data/tls/tls.key"
|
|
log_level = "info"
|
|
|
|
[online_backup]
|
|
path = "/data/backups/"
|
|
schedule = "0 22 * * *"
|
|
versions = 7
|
|
|
|
[replication]
|
|
origin = "__REPL_ORIGIN__"
|
|
bindaddress = "[::]:8444"
|
|
---
|
|
# kanidm-repl-peers is initially empty.
|
|
#
|
|
# After first deployment, exchange replication certificates:
|
|
# kubectl exec -n kanidm kanidm-0 -- kanidmd show-replication-certificate
|
|
# kubectl exec -n kanidm kanidm-1 -- kanidmd show-replication-certificate
|
|
# kubectl exec -n kanidm kanidm-2 -- kanidmd show-replication-certificate
|
|
#
|
|
# Then populate peers.toml with all nodes' certs and restart pods.
|
|
# Example peers.toml content:
|
|
#
|
|
# [replication."repl://kanidm-0.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
|
# type = "mutual-pull"
|
|
# partner_cert = "<base64-cert-from-kanidm-0>"
|
|
#
|
|
# [replication."repl://kanidm-1.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
|
# type = "mutual-pull"
|
|
# partner_cert = "<base64-cert-from-kanidm-1>"
|
|
#
|
|
# [replication."repl://kanidm-2.kanidm-headless.kanidm.svc.cluster.local:8444"]
|
|
# type = "mutual-pull"
|
|
# partner_cert = "<base64-cert-from-kanidm-2>"
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: kanidm-repl-peers
|
|
namespace: kanidm
|
|
labels:
|
|
app.kubernetes.io/name: kanidm
|
|
app.kubernetes.io/instance: kanidm
|
|
data:
|
|
peers.toml: ""
|