Nubus for Kubernetes - Operation Manual 1.x

Directory service high availability and scalability

6.1.6. Directory service high availability and scalability#

This section describes, how you can configure the amount of replicas for a highly available and scalable directory service in Nubus.

Recommendation: all third-party services connect to the OpenLDAP service through the proxy instances, avoiding direct access to the primary instances to ensure performance and data consistency.

A highly available, scalable directory service with OpenLDAP consists of the components in the following sections:

See also

Identity Store and Directory Service

in Univention Nubus for Kubernetes - Architecture Manual [2] for information about the architecture of the directory service in Nubus for Kubernetes.

6.1.6.1. LDAP Primary#

LDAP Primary instances of the OpenLDAP service.

The primary instances of the OpenLDAP service are the providers of the service. They replicate each other. At any given time exactly one of the primary instances handles directory data updates.

New in version 1.5.0: Add leader elector for the LDAP Server with support for two LDAP Primary servers to achieve high availability.

Nubus uses Kubernetes Leases to ensure that only one LDAP Primary is active at a time. It keeps the second LDAP Primary ready to take over. If the active LDAP Primary fails to renew its lease, Kubernetes switches over to the other ready LDAP Primary and promotes it as the active node.

To set up the LDAP Primary in mirror mode for the replication, you need to apply the following preparations:

  1. Set nubusLdapServer.replicaCountPrimary to 2 in your custom_values.yaml file. Default value is 1.

  2. Continue with the instructions in Configuration.

Important

High availability doesn’t replace a backup concept, because it synchronizes the data with the other LDAP Primary as quickly as possible. If data is accidentally changed, for example due to user error, only a backup can restore clean data.

Important

The scalability of the LDAP Primary has impact on the UDM Listener in the Provisioning Service.

For more information, see Notify about changes to directory objects.

6.1.6.2. LDAP Secondary#

Secondary instances of the OpenLDAP service.

The secondary instances of the OpenLDAP service are the replicas of the service. They replicate the primary instances. The data of the secondary instances is read-only. Secondary instances respond to write operations with a referral to a primary instance.

Scaling the LDAP Secondary allows to deal with many read requests to the Directory Service. To configure the scalability of the LDAP Secondary set nubusLdapServer.replicaCountSecondary to an integer value greater than the default.

6.1.6.3. LDAP Proxy#

Proxy instances of the OpenLDAP service.

The proxy instances of the OpenLDAP service are the proxies of the service. They distribute the read operations to the primary and secondary instances. They also distribute the write operations to a primary instance.

If you scale up the LDAP Secondary for performance reasons, it’s a recommendation to scale up the LDAP Proxy in the same way. To configure the scalability of the LDAP Proxy set nubusLdapServer.replicaCountProxy to an integer value greater than the default.

6.1.6.4. Configuration#

To configure high availability and scalability for the OpenLDAP service, you need to provide the replica counts in the Helm Chart configuration in your custom_values.yaml values file as outlined in Listing 6.13.

Update your Nubus deployment through helm by following the steps in Apply configuration.

Listing 6.13 Scalability example for custom_values.yaml values file#
nubusLdapServer:
  replicateCountPrimary: 2
  replicateCountSecondary: 2
  replicateCountProxy: 3

To configure the resources for the OpenLDAP service, you can provide them in the Helm Chart configuration by specifying the following values. Listing 6.14 shows an example. To apply the changes, you need to update your Nubus deployment through helm by following the steps in Apply configuration.

nubusLdapServer.resources

The resources for all instances of the OpenLDAP service. Use this to set the resources for all instances of the OpenLDAP service to the same values.

nubusLdapServer.resourcesPrimary

The resources for the primary instances OpenLDAP service.

nubusLdapServer.resourcesSecondary

The resources for the secondary instances OpenLDAP service.

nubusLdapServer.resourcesProxy

The resources for the proxy instances of the OpenLDAP service.

Listing 6.14 Resource configuration example for custom_values.yaml values file#
nubusLdapServer:
  resourcesPrimary:
    limits:
      cpu: 4
      memory: 2048Mi
    requests:
      cpu: 100m
      memory: 512Mi
  resourcesSecondary:
    limits:
      cpu: 4
      memory: 1024Mi
    requests:
      cpu: 100m
      memory: 256Mi
  resourcesProxy:
    limits:
      cpu: 2
      memory: 1024Mi
    requests:
      cpu: 100m
      memory: 256Mi

See also

Identity Store and Directory Service

in Univention Nubus for Kubernetes - Architecture Manual [2] for architectural information about the scalability of the Identity Store and Directory Service.

Leases | Kubernetes

in Kubernetes Documentation [1] for concept information of Kubernetes Leases.

On this page