Add support for CA clone with shared DS #4527
Conversation
This is not clear to me. If multiple CAs share the same DS instance, the load balancer is to distribute the work among multiple CAs, the DS instance is only one. Isn't it? |
|
@ckelleyRH @fmarco76 Thanks! Sorry, let me clarify. Suppose we have a cluster environment with multiple CA and DS replicas, previously each CA replica needed to have its own DS replica. If a DS replica was down, the CA replica attached to that DS replica could not automatically switch to a different DS replica, so that CA replica would be down as well. With this PR we remove that restriction, so it's now possible to install a load balancer sitting in between all CA replicas and all DS replicas. In this configuration all CA replicas will connect to the same load balancer (i.e. with the same address), then the load balancer will distribute the traffic to all DS replicas. This way if a DS replica is down, the CA replicas can automatically use the remaining DS replicas. The test is just to demonstrate that the CA replicas are no longer prevented from using a shared DS instance, which could be a DS load balancer in a real environment. It's also possible to have a load balancer between the CA clients and the CA replicas, but I think that configuration is already supported (i.e. there's no restriction like above). |
A new test has been added to install multiple CA instances sharing the same DS instance. This configuration can be used to create CA replicas connected to a single load balancer which will to distribute the load to multiple DS replicas. A new GH workflow has been added for CA clone tests since a workflow can only call up to 20 reusable workflows: https://docs.github.com/en/actions/using-workflows/reusing-workflows
|
Kudos, SonarCloud Quality Gate passed!
|
|
Actually after further inspection it's not necessary to remove the validation code since this installation scenario uses I also added a new top-level workflow since the current one has already reached the 20 reusable workflow limit: |
The
PKIDeployment.import_master_config()has been modified to no longer require the CA master and CA replica to use separate DS instances. This will allow the CA instances to use a load balancer to distribute the load to multiple DS instances.A new test has been added to install CA instances sharing the same DS instance.