Skip to content

Commit

Permalink
deduplicate configs
Browse files Browse the repository at this point in the history
  • Loading branch information
woutslakhorst committed Nov 19, 2024
1 parent 1126341 commit bb6abcd
Show file tree
Hide file tree
Showing 13 changed files with 74 additions and 241 deletions.
9 changes: 7 additions & 2 deletions docs/pages/deployment/clustering.rst
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
Clustering
##########

With the introduction of a SQL database and separate session storage, clustering with HA is now possible.
Clustering is currently limited to nodes that have the ``did:nuts`` method disabled.
To enable clustering, you must support the following:

Expand All @@ -13,4 +12,10 @@ To enable clustering, you must support the following:
- Read only mounts for configuration, policy, discovery and JSON-LD context files.

It's recommended to use a level 4 load balancer to distribute the load across the nodes.
Each node should have a reverse proxy for TLS termination.
Each node should have a reverse proxy for TLS termination.

Clustering will not work if you use one of the following:

- The did:nuts method
- SQLite
- Disk based private key storage
9 changes: 5 additions & 4 deletions docs/pages/deployment/storage.rst
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,11 @@ Session storage
***************

Session storage is used for storing access tokens, nonces and other volatile data.
Data is stored in-memory only. There are 3 supported session storage types:
Session data is volatile by nature. There are 3 supported session storage types:

- local
- memcached
- redis (standalone, cluster, sentinel)
- In-memory
- Memcached
- Redis (standalone, cluster, sentinel)

Local
=====
Expand All @@ -73,6 +73,7 @@ Memcached can be enabled with the following config:
You can add multiple memcached servers to the list.
memcached is not capable of clustering. Each piece of data is stored on a single instance.
If you want true HA, you'll need to use Redis.
For more information on Memcached connection strings, refer to the `Memcached documentation <https://docs.memcached.org/>`_.

Redis
=====
Expand Down
17 changes: 11 additions & 6 deletions e2e-tests/clustering/memcached/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,23 +11,26 @@ services:
- "18081:8081"
environment:
NUTS_CONFIGFILE: /opt/nuts/nuts.yaml
NUTS_URL: "https://nodeA"
NUTS_DISCOVERY_SERVER_IDS: "e2e-test"
NUTS_STORAGE_SESSION_MEMCACHED_ADDRESS: "memcached:11211"
volumes:
- "./node-A/nuts.yaml:/opt/nuts/nuts.yaml:ro"
- "../shared/nuts.yaml:/opt/nuts/nuts.yaml:ro"
- "../../tls-certs/nodeA-backend-certificate.pem:/opt/nuts/certificate-and-key.pem:ro"
- "../../tls-certs/truststore.pem:/opt/nuts/truststore.pem:ro"
# did:web resolver uses the OS CA bundle, but e2e tests use a self-signed CA which can be found in truststore.pem
# So we need to mount that file to the OS CA bundle location, otherwise did:web resolving will fail due to untrusted certs.
- "../../tls-certs/truststore.pem:/etc/ssl/certs/Nuts_RootCA.pem:ro"
- "./node-A/presentationexchangemapping.json:/opt/nuts/policies/presentationexchangemapping.json:ro"
- "./shared/discovery:/nuts/discovery:ro"
- "../shared/presentationexchangemapping.json:/opt/nuts/policies/presentationexchangemapping.json:ro"
- "../shared/discovery:/nuts/discovery:ro"
healthcheck:
interval: 1s # Make test run quicker by checking health status more often
nodeA:
image: nginx:1.25.1
ports:
- "10443:443"
volumes:
- "./node-A/nginx.conf:/etc/nginx/nginx.conf:ro"
- "../shared/node-A/nginx.conf:/etc/nginx/nginx.conf:ro"
- "../../tls-certs/nodeA-certificate.pem:/etc/nginx/ssl/server.pem:ro"
- "../../tls-certs/nodeA-certificate.pem:/etc/nginx/ssl/key.pem:ro"
- "../../tls-certs/truststore.pem:/etc/nginx/ssl/truststore.pem:ro"
Expand All @@ -38,15 +41,17 @@ services:
- "28081:8081"
environment:
NUTS_CONFIGFILE: /opt/nuts/nuts.yaml
NUTS_URL: "https://nodeB"
volumes:
- "./node-B/nuts.yaml:/opt/nuts/nuts.yaml:ro"
- "../shared/nuts.yaml:/opt/nuts/nuts.yaml:ro"
- "../../tls-certs/nodeB-certificate.pem:/opt/nuts/certificate-and-key.pem:ro"
- "../../tls-certs/truststore.pem:/opt/nuts/truststore.pem:ro"
- "../../tls-certs/truststore.pem:/etc/ssl/certs/truststore.pem:ro"
# did:web resolver uses the OS CA bundle, but e2e tests use a self-signed CA which can be found in truststore.pem
# So we need to mount that file to the OS CA bundle location, otherwise did:web resolving will fail due to untrusted certs.
- "../../tls-certs/truststore.pem:/etc/ssl/certs/Nuts_RootCA.pem:ro"
- "./shared/discovery:/nuts/discovery:ro"
- "../shared/presentationexchangemapping.json:/opt/nuts/policies/presentationexchangemapping.json:ro"
- "../shared/discovery:/nuts/discovery:ro"
healthcheck:
interval: 1s # Make test run quicker by checking health status more often
nodeB:
Expand Down
18 changes: 12 additions & 6 deletions e2e-tests/clustering/redis/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,23 +45,27 @@ services:
- "18081:8081"
environment:
NUTS_CONFIGFILE: /opt/nuts/nuts.yaml
NUTS_URL: "https://nodeA"
NUTS_DISCOVERY_SERVER_IDS: "e2e-test"
NUTS_STORAGE_SESSION_REDIS_SENTINEL_MASTER: "mymaster"
NUTS_STORAGE_SESSION_REDIS_SENTINEL_NODES: sentinelA:26379,sentinelB:26379,sentinelC:26379
volumes:
- "./node-A/nuts.yaml:/opt/nuts/nuts.yaml:ro"
- "../shared/nuts.yaml:/opt/nuts/nuts.yaml:ro"
- "../../tls-certs/nodeA-backend-certificate.pem:/opt/nuts/certificate-and-key.pem:ro"
- "../../tls-certs/truststore.pem:/opt/nuts/truststore.pem:ro"
# did:web resolver uses the OS CA bundle, but e2e tests use a self-signed CA which can be found in truststore.pem
# So we need to mount that file to the OS CA bundle location, otherwise did:web resolving will fail due to untrusted certs.
- "../../tls-certs/truststore.pem:/etc/ssl/certs/Nuts_RootCA.pem:ro"
- "./node-A/presentationexchangemapping.json:/opt/nuts/policies/presentationexchangemapping.json:ro"
- "./shared/discovery:/nuts/discovery:ro"
- "../shared/presentationexchangemapping.json:/opt/nuts/policies/presentationexchangemapping.json:ro"
- "../shared/discovery:/nuts/discovery:ro"
healthcheck:
interval: 1s # Make test run quicker by checking health status more often
nodeA:
image: nginx:1.25.1
ports:
- "10443:443"
volumes:
- "./node-A/nginx.conf:/etc/nginx/nginx.conf:ro"
- "../shared/node-A/nginx.conf:/etc/nginx/nginx.conf:ro"
- "../../tls-certs/nodeA-certificate.pem:/etc/nginx/ssl/server.pem:ro"
- "../../tls-certs/nodeA-certificate.pem:/etc/nginx/ssl/key.pem:ro"
- "../../tls-certs/truststore.pem:/etc/nginx/ssl/truststore.pem:ro"
Expand All @@ -72,15 +76,17 @@ services:
- "28081:8081"
environment:
NUTS_CONFIGFILE: /opt/nuts/nuts.yaml
NUTS_URL: "https://nodeB"
volumes:
- "./node-B/nuts.yaml:/opt/nuts/nuts.yaml:ro"
- "../shared/nuts.yaml:/opt/nuts/nuts.yaml:ro"
- "../../tls-certs/nodeB-certificate.pem:/opt/nuts/certificate-and-key.pem:ro"
- "../../tls-certs/truststore.pem:/opt/nuts/truststore.pem:ro"
- "../../tls-certs/truststore.pem:/etc/ssl/certs/truststore.pem:ro"
# did:web resolver uses the OS CA bundle, but e2e tests use a self-signed CA which can be found in truststore.pem
# So we need to mount that file to the OS CA bundle location, otherwise did:web resolving will fail due to untrusted certs.
- "../../tls-certs/truststore.pem:/etc/ssl/certs/Nuts_RootCA.pem:ro"
- "./shared/discovery:/nuts/discovery:ro"
- "../shared/presentationexchangemapping.json:/opt/nuts/policies/presentationexchangemapping.json:ro"
- "../shared/discovery:/nuts/discovery:ro"
healthcheck:
interval: 1s # Make test run quicker by checking health status more often
nodeB:
Expand Down
71 changes: 0 additions & 71 deletions e2e-tests/clustering/redis/node-A/nginx.conf

This file was deleted.

101 changes: 0 additions & 101 deletions e2e-tests/clustering/redis/node-A/presentationexchangemapping.json

This file was deleted.

13 changes: 13 additions & 0 deletions e2e-tests/clustering/redis/sentinel/A/sentinel.conf
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,16 @@ sentinel resolve-hostnames yes
sentinel announce-hostnames yes

# Generated by CONFIG REWRITE

latency-tracking-info-percentiles 50 99 99.9
user default on nopass sanitize-payload ~* &* +@all
sentinel myid d2edd2fd2762267af463b772e543253e17b00ec9
sentinel config-epoch mymaster 0
sentinel leader-epoch mymaster 0
sentinel current-epoch 0

sentinel known-replica mymaster 172.16.4.7 6379

sentinel known-sentinel mymaster 172.16.4.9 26379 acdeeaa3cb7c53bf8965ba3046d1f212ef2bd342

sentinel known-sentinel mymaster 172.16.4.10 26379 bd75ae05071650f196c7ecdffb4abea1271c1e27
13 changes: 13 additions & 0 deletions e2e-tests/clustering/redis/sentinel/B/sentinel.conf
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,16 @@ sentinel resolve-hostnames yes
sentinel announce-hostnames yes

# Generated by CONFIG REWRITE

latency-tracking-info-percentiles 50 99 99.9
user default on nopass sanitize-payload ~* &* +@all
sentinel myid acdeeaa3cb7c53bf8965ba3046d1f212ef2bd342
sentinel config-epoch mymaster 0
sentinel leader-epoch mymaster 0
sentinel current-epoch 0

sentinel known-replica mymaster 172.16.4.7 6379

sentinel known-sentinel mymaster 172.16.4.10 26379 bd75ae05071650f196c7ecdffb4abea1271c1e27

sentinel known-sentinel mymaster 172.16.4.8 26379 d2edd2fd2762267af463b772e543253e17b00ec9
13 changes: 13 additions & 0 deletions e2e-tests/clustering/redis/sentinel/C/sentinel.conf
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,16 @@ sentinel resolve-hostnames yes
sentinel announce-hostnames yes

# Generated by CONFIG REWRITE

latency-tracking-info-percentiles 50 99 99.9
user default on nopass sanitize-payload ~* &* +@all
sentinel myid bd75ae05071650f196c7ecdffb4abea1271c1e27
sentinel config-epoch mymaster 0
sentinel leader-epoch mymaster 0
sentinel current-epoch 0

sentinel known-replica mymaster 172.16.4.7 6379

sentinel known-sentinel mymaster 172.16.4.9 26379 acdeeaa3cb7c53bf8965ba3046d1f212ef2bd342

sentinel known-sentinel mymaster 172.16.4.8 26379 d2edd2fd2762267af463b772e543253e17b00ec9
Loading

0 comments on commit bb6abcd

Please sign in to comment.