Deploy the Conjur Follower

This topic describes how to deploy a Conjur Follower.

 

If you are setting up a Conjur-Kubernetes integration, you can deploy your Follower outside the Kubernetes cluster using the instructions in this topic, or you can deploy your Follower inside the Kubernetes cluster as described in Deploy Follower for OpenShift/Kubernetes integration.

Client requests to the Conjur cluster must occur through Followers. The Followers run independently of the Conjur cluster. They are configured behind a load balancer that coordinates communication to the cluster. Requests from Followers can continue to be serviced through a failover event because the Followers are never directly connected to any one cluster node.

You can configure Conjur to segregate secrets by replicating only a subset of the data to certain Conjur Followers. To do this, you create a replication set that specifies the secrets to replicate before you create a Follower. You then assign the Follower to a replication set during Follower seed creation. For more information, see Segregate secrets per Follower.

Load balancer

Configure a Level 7 load balancer. This load balancer sits in front of all Followers and coordinates the communication between the Followers and the Conjur cluster.

Add the load balancer to your DNS server. You need the load balancer's DNS name to configure Followers.

Prerequisites

Before you deploy the Follower:

Configure the Conjur Follower

Conjur Followers are containers which run a Conjur Server image that is configured as a Follower.

This procedure for setting up a Follower assumes that certificate files for the Follower load balancer existed on the Leader during Conjur cluster configuration. The seed files that you generate for Followers will include the Follower certificates:

 

  • The Conjur Server image version that runs on Followers must match the version running on the Leader or Standbys.

  • Podman is CLI-compatible with the Docker CLI. You can configure alias docker=podman for the shell that sets up the Conjur Server. This way, all the docker commands can be used when working with Podman.

    Alternatively, you can manually replace docker in each command with podman.

  1. Create and unpack a seed file:

    A seed file is an archive file, generated from the Leader, which contains all the files necessary for configuring a Follower. These seed files contain secrets, such as certificate private keys and data keys.

     

    The following step copies the seed file by streaming it via SSH. If you prefer to transport the file manually, see Seeding a node.

    For each Follower, run the following from your local terminal (or a terminal with access to both nodes):

    ssh -i "<path to Leader.pem file>" <user@leader-dns> "sudo docker exec <leader-container-name> evoke seed follower --replication-set <replication-set-name> <follower-dns><load-balancer-dns>" | ssh -i "<path to Follower .pem file>" <user@follower-dns> "sudo docker exec -i <follower-container-name> evoke unpack seed -"

    For example

    $ ssh -i "dap.pem" core@node1.production.example.com "sudo docker exec mycontainer evoke seed follower node4.production.example.com lb.production.example.com" | ssh -i "follower.pem" core@node4.production.example.com "sudo docker exec -i mycontainer evoke unpack seed -"
    If you do not specify a replication set in the evoke seed follower command, the Follower is added to the default full replication set and all secrets will be replicated to it.

  2. On each Follower, configure the Follower:

      
    $ docker exec <container_name> evoke configure follower

  3. Verify that the Follower reports as healthy for all metrics:

      
    $ curl http://<follower_dns>:444/health

    The normal response for a Leader is to see all ok: objects set to true:

      
    {
	.
	.
	.
	"ok": true
}

Set up your integration. For details, Integrations.

Troubleshoot the setup

To troubleshoot the Follower setup, add the --debug flag to the evoke configure command. For more information, see Troubleshoot Conjur Enterprise configuration.