jp-gouin/helm-openldap

Read-only replicas

davidfrickert opened this issue · 5 comments

Is your feature request related to a problem? Please describe.
I would like to have a LDAP cluster that is writable on-cluster by other connected apps but not writable from operations from outside the cluster.

Describe the solution you'd like
Allow adding read-only replicas. They should be a separate StatefulSet and receive updates from the master cluster.
Then, I can create a LoadBalancer service that exposes only the read-only pods to outside network.

Describe alternatives you've considered
N/A

Additional context
In order for the replica to be read only, olcReadonly: TRUE needs to be set - https://openldap.org/doc/admin24/slapdconf2.html (5.2.5.3. olcReadonly)

I'm ok with contributing to this feature, if the proposed solution sounds reasonable. Otherwise also open to other solutions that achieve the same goal with less complexity.

Hi @davidfrickert
That's an amazing idea !

I think you have the proper solution at least I can't think of a safer/easiest one

Let me know if I can help you on this

I will be submitting a PR soon, I might need some help in reducing duplication, as i basically had to copy paste the statefulset, configmap, service and service (headless).

Are read replicas a stateful set? Idk that they have the same semantics a statefulset does where each pod has an id. Should we also not include the syncprov overlay on the ldap consumers?

I haven't investigate how read replicas may have been implemented in other database systems. Maybe mongo charts have a read replica concept to copy.