-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run auth
service on a separate machine
#94
Comments
#86 would be resolved by this. |
My assumption when creating this ticket was the goal of a single, unified Keycloak instance across several projects. That assumption was incorrect because PDC infrastructure needs to be cleanly separate from other infrastructure. In light of this, I think we could work on #86 first rather than adding another machine to maintain while the first machine is not maxed out in any way. @jasonaowen How does that sound? |
@jasonaowen Sure, I don't think this is immediately needed for #86, but I can see that now is a good time to make a dedicated auth machine if that's desired. So doing. |
The plan is this:
|
I staged most of the changes in the new production machine while the DNS change for test is pending. I didn't yet take a backup of the production machine (or restore it) because we want that step to be as close to the DNS change as practical. But the prerequisites, the database user and (empty) database, Keycloak software and config, nginx config, systemd unit, env vars are at least there and ready for the dump/restore and DNS change. |
Let's Encrypt certificates are now are on auth test machine using certbot. |
The authentication and authorization server is getting split off onto its own host. As of this writing, the test auth server is separated. This change removes the attempts to renew certificates for the auth service now that it is going to be on a different machine. See #94 Run auth service on a separate machine
The new production auth machine is running now, pending DNS change. |
DNS change is complete, and the prod machine also is using Let's Encrypt certificates now. |
All but the unchecked cleanup steps are complete here. I have not tried a keycloak key rotation so I do not know how long that would take. |
The old machines should have very little or none to do with the old keycloak instance running there now. The database, database user, system user, and leftover files from the migration should be gone. The related env vars are commented out. |
We would benefit from
auth
running on a separate machine from PDC service. Deployment of PDC backend would be more cleanly separated, e.g. PDC deployment does not impactauth
, sessions, etc.The text was updated successfully, but these errors were encountered: