Currently IPA uses a cascading mechanism to establish the initial connection to CA/KRA service, but it doesn't have a load balancing capability to distribute subsequent requests, or failover capability when the service becomes unavailable, or auto-update capability when a replica is added/removed.
The cascading mechanism works by searching the LDAP database to find the most preferable server providing the CA/KRA service:
Note that this mechanism doesn't check if the server referenced in the LDAP database is actually in service. It will also cache the result so if the service becomes unavailable, subsequent requests may still be redirected to the same server indefinitely (depending on cache policy).
A possible solution is to provide some load balancing options without the cascading mechanism:
This solution will provide load-balancing and fail-over mechanism, but the admin will need to maintain the load balancer configuration manually when a replica is added/removed.
See also ticket #1252.
This ticket has be generalized for all IPA services. Different services might require different load balancing mechanisms. See also:
Unless this is a blocker for KRA, moving to 4.3. If it is, please shout loudly so that we can reprioritize.
Metadata Update from @edewata:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog
to comment on this ticket.