Security server cluster setup

This ansible playbook configures a master (1) - replica (n) security server cluster. In addition, setting up a load balancer (out of scope) is needed.

The playbook has been tested in AWS EC2 using stock RHEL 7, Ubuntu 20.04 and Ubuntu 22.04 AMIs running default X-Road security server installation. Other environments might require modifications to the playbook.

Prerequisites

All the servers in a cluster should have the same operating system (Ubuntu 20.04, Ubuntu 22.04 or RHEL 7). The setup also assumes that the servers are in the same subnet. If that is not the case, one needs to modify primary's pg_hba.nconf so that it accepts replication configurations from the correct network(s).

Set up SSL keys certificates for PostgreSQL replication connections

Create a CA certificate and store it in PEM format as ca.crt in the "ca" folder. Create TLS key and certificate (PEM) signed by the CA for each node and store those as ca/"nodename"/server.key and ca/"nodename"/server.crt. The server keys must not have a passphrase, but one can and should use ansible-vault to protect the keys.

Note that the common name (CN) part of the certificate subject's DN must be the nodename defined in the host inventory file.

The ca directory contains two scripts that can be used to generate the keys and certificates.

Running the playbook

Remember to back up the servers before proceeding.

ansible-playbook --ask-vault-pass -i hosts/example.txt xroad_ss_cluster.yml

If testing the setup in a lxd container:

ansible-playbook --ask-vault-pass -c lxd --become-method=su -i hosts/example.txt xroad_ss_cluster.yml

The playbook does the following operations