In order to have a highly available deployment of the gitguardian application, several components need to be configured.
First of all, you will need a highly available cluster.
If you brought your own cluster, you just need to ensure it is managed to be highly available, then you can skip to the next step.
HA on an embedded cluster is not recommended nor supported by GitGuardian. We recommend using a managed existing cluster for HA.
If you are using the embedded cluster, you can follow these steps.
These requirements are the bare minimum we recommend to create a highly available cluster.
- A TCP load-balancer.
- 3 master instances. You can add more instances for an increased resilience, but 3 should be enough for most cases. If you go higher, we recommend to use an odd number of master instances. Also, keep in mind that you can add worker nodes to handle the workload.
First, TCP port 6443 have to redirected to all master instances. There can be issues with hairpinning and loopback for this one (for example, AWS Internal NLB can't be used).
TCP ports 80, 443, 8800 can be redirected to any node in the cluster, worker or master. But we recommend to target only master nodes, it makes it easier to scale worker nodes.
Run this command on the first instance:
curl -sSL https://k8s.kurl.sh/gitguardian-seal-prod | sudo bash -s ha
You will be asked the load balancer address; fill it.
At the end of the installation, you will have a command to add new master nodes. Use it on the other instances.
Pods are configured to spread automatically across nodes as much as possible. This ensures a minimum impact in case of a node failure.
No configuration is required.
Redis and Postgres also need to be configured for high availability. The embedded versions do not support high availability, you will have to rely on external ones configured for it.