logto
logto copied to clipboard
logto-io
feature request: support high availability
What problem did you meet?
In order to use Logto in production level, supporting HA is necessary.
Describe what you'd like Logto to have
- Support HA
- Support Kubernetes
- Health Check End-Point
- Support Helm
@gao-sun I would like to help with this issue.
Seems like Logto contains all information into database, except RSA keys. Is there any reason that RSA keys are not saved into database?
@pemassi it would be great if you can help! thanks.
the initial thought could be avoiding store any plain text secret in database. we know connector configs should be considered as secret too, thus we'll likely use the same key to encrypt/decrypt connector configs in the near future.
@simeng-li @wangsijie do we have any other particular reasons for not storing the key in database?
@gao-sun @wangsijie
I believe saving keys into database is safe, since the other projects, such as Keycloak, are saving into database.
I think saving keys into database will make easier to import, backup configuration (https://github.com/logto-io/logto/issues/1745), and also support hight availability.
What do you guys think about this?
@pemassi sry I forgot to reply. we had an internal discussion and found storing keys in database is ok once it's encrypted. we're going to refactor this part once our automatic database schema migration is ready.
@gao-sun No worries! That's a good news. Then, I will work on create helm config without thinking sharing keys between pods.
don't know if it's too late, we did some major updates and now most of configs are stored in database. for encrypting, we decided to let the database service to do the at-rest encryption so you can consider the HA support is ready to move on now.
