4d594fbde7
- Store per-pod replication certs in Vault (kv/kubernetes/namespace/kanidm/default/repl-certs) - VaultAuth + VaultStaticSecret sync certs to kanidm-repl-certs Secret - busybox config-init init container injects peer certs from Secret into server.toml at startup - Remove hardcoded partner_cert entries from per-pod server.toml templates - Add automatic_refresh = true to all replication configs - Add reloader.stakater.com/auto annotation to trigger rolling restart on ConfigMap/Secret changes - Document domain UUID mismatch resolution and cert rotation in README Reviewed-on: #176
21 lines
446 B
TOML
21 lines
446 B
TOML
version = "2"
|
|
|
|
domain = "auth.unkin.net"
|
|
origin = "https://auth.unkin.net"
|
|
bindaddress = "[::]:8443"
|
|
db_path = "/data/kanidm.db"
|
|
db_arc_size = 2048
|
|
tls_chain = "/data/tls/tls.crt"
|
|
tls_key = "/data/tls/tls.key"
|
|
log_level = "info"
|
|
|
|
[online_backup]
|
|
path = "/data/backups/"
|
|
schedule = "0 22 * * *"
|
|
versions = 7
|
|
|
|
[replication]
|
|
origin = "repl://kanidm-1.kanidm-headless.kanidm.svc.cluster.local:8444"
|
|
bindaddress = "[::]:8444"
|
|
automatic_refresh = true
|