forked from TrueCloudLab/certificates
Add documentation for running HA
This commit is contained in:
parent
083abf5150
commit
ca0861bf17
1 changed files with 28 additions and 0 deletions
|
@ -658,3 +658,31 @@ are features that we plan to implement, but are not yet available. In the mean
|
|||
time short lived certificates are a decent alternative.
|
||||
* Keep your hosts secure by enforcing AuthN and AuthZ for every connection. SSH
|
||||
access is a big one.
|
||||
|
||||
<a name="step-ca-ha"></a>
|
||||
## Notes on Running Step CA as a Highly Available Service
|
||||
|
||||
**CAUTION**: `step-ca` is built to scale horizontally. However, the creators
|
||||
and maintainers do not regularly test in an HA environment using mulitple
|
||||
instances. You may run into issues we did not plan for. If this happens, please
|
||||
[open an issue][3].
|
||||
|
||||
### Considerations
|
||||
|
||||
A few things to consider / implement when running multiple instances of `step-ca`:
|
||||
|
||||
* Use `MySQL` DB: The default `Badger` DB cannot be read / written by more than one
|
||||
process simultaneously. The only supported DB that can support multiple instances
|
||||
is `MySQL`. See the [database documentation][4] for guidance on configuring `MySQL`.
|
||||
|
||||
* Synchronize `ca.json` across instances: `step-ca` reads all of it's
|
||||
configuration (and all of the provisioner configuration) from the `ca.json` file
|
||||
specified on the command line. If the `ca.json` of one instance is modified
|
||||
(either manually or using a command like `step ca provisioner (add | remove)`)
|
||||
the other instances will not pick up on this change until the `ca.json` is
|
||||
copied over to the correct location for each instance and the instance itself
|
||||
is `SIGHUP`'ed (or restarted). It's recommended to use a configuration management
|
||||
(ansible, chef, salt, puppet, etc.) tool to synchronize `ca.json` across instances.
|
||||
|
||||
[3]: https://github.com/smallstep/certificates/issues
|
||||
[4]: ./database.md
|
||||
|
|
Loading…
Reference in a new issue