Linux (HA)
Infisical High Availability Deployment architecture for Linux
This guide describes how to achieve a highly available deployment of Infisical on Linux machines without containerization. The architecture provided serves as a foundation for minimum high availability, which you can scale based on your specific requirements.
Architecture Overview
The deployment consists of the following key components:
Service | Nodes | Recommended Specs | GCP Instance | AWS Instance |
---|---|---|---|---|
External Load Balancer | 1 | 4 vCPU, 4 GB memory | n1-highcpu-4 | c5n.xlarge |
Internal Load Balancer | 1 | 4 vCPU, 4 GB memory | n1-highcpu-4 | c5n.xlarge |
Etcd Cluster | 3 | 4 vCPU, 4 GB memory | n1-highcpu-4 | c5n.xlarge |
PostgreSQL Cluster | 3 | 2 vCPU, 8 GB memory | n1-standard-2 | m5.large |
Redis + Sentinel | 3+3 | 2 vCPU, 8 GB memory | n1-standard-2 | m5.large |
Infisical Core | 3 | 2 vCPU, 4 GB memory | n1-highcpu-2 | c5.large |
Network Architecture
All servers operate within the 52.1.0.0/24 private network range with the following IP assignments:
Service | IP Address |
---|---|
External Load Balancer | 52.1.0.1 |
Internal Load Balancer | 52.1.0.2 |
Etcd Node 1 | 52.1.0.3 |
Etcd Node 2 | 52.1.0.4 |
Etcd Node 3 | 52.1.0.5 |
PostgreSQL Node 1 | 52.1.0.6 |
PostgreSQL Node 2 | 52.1.0.7 |
PostgreSQL Node 3 | 52.1.0.8 |
Redis Node 1 | 52.1.0.9 |
Redis Node 2 | 52.1.0.10 |
Redis Node 3 | 52.1.0.11 |
Sentinel Node 1 | 52.1.0.12 |
Sentinel Node 2 | 52.1.0.13 |
Sentinel Node 3 | 52.1.0.14 |
Infisical Core 1 | 52.1.0.15 |
Infisical Core 2 | 52.1.0.16 |
Infisical Core 3 | 52.1.0.17 |
Component Setup Guide
1. Configure Etcd Cluster
The Etcd cluster is needed for leader election in the PostgreSQL HA setup. Skip this step if using managed PostgreSQL.
- Install Etcd on each node:
- Configure each node with unique identifiers and cluster membership. Example configuration for Node 1 (
/etc/etcd/etcd.conf
):
2. Configure PostgreSQL
For production deployments, you have two options for highly available PostgreSQL:
Option A: Managed PostgreSQL Service (Recommended for Most Users)
Use cloud provider managed services:
- AWS: Amazon RDS for PostgreSQL with Multi-AZ
- GCP: Cloud SQL for PostgreSQL with HA configuration
- Azure: Azure Database for PostgreSQL with zone redundant HA
These services handle replication, failover, and maintenance automatically.
Option B: Self-Managed PostgreSQL Cluster
Full HA installation guide of PostgreSQL is beyond the scope of this document. However, we have provided an overview of resources and code snippets below to guide your deployment.
-
Required Components:
- PostgreSQL 14+ on each node
- Patroni for cluster management
- Etcd for distributed consensus
-
Documentation we recommend you read:
-
Key Steps Overview:
-
Important considerations:
- Proper disk configuration for WAL and data directories
- Network latency between nodes
- Backup strategy and point-in-time recovery
- Monitoring and alerting setup
- Connection pooling configuration
- Security and network access controls
-
Recommended readings:
3. Configure Redis and Sentinel
Similar to PostgreSQL, a full HA Redis setup guide is beyond the scope of this document. Below are the key resources and considerations for your deployment.
Option A: Managed Redis Service (Recommended for Most Users)
Use cloud provider managed Redis services:
- AWS: ElastiCache for Redis with Multi-AZ
- GCP: Memorystore for Redis with HA
- Azure: Azure Cache for Redis with zone redundancy
Follow your cloud provider’s documentation:
Option B: Self-Managed Redis Cluster
Setting up a production Redis HA cluster requires understanding several components. Refer to these linked resources:
-
Required Reading:
-
Key Steps Overview:
- Configure replica nodes (
52.1.0.10
,52.1.0.11
):
- Configure Sentinel nodes (
52.1.0.12
,52.1.0.13
,52.1.0.14
):
- Recommended Additional Reading:
4. Configure HAProxy Load Balancer
Install and configure HAProxy for internal load balancing:
5. Deploy Infisical Core
First, add the Infisical repository:
Then install Infisical:
For production environments, we strongly recommend installing a specific version of the package to maintain consistency across reinstalls. View available versions at Infisical Package Versions.
Next, create configuration file /etc/infisical/infisical.rb
with the following:
To generate ENCRYPTION_KEY
and AUTH_SECRET
view the following configurations documentation here.
If you are using managed services for either Postgres or Redis, please replace the values of the secrets accordingly.
Lastly, start and verify each node running infisical-core:
Monitoring and Maintenance
- Monitor HAProxy stats:
http://52.1.0.2:7000/haproxy?stats
- Monitor Infisical logs:
sudo infisical-ctl tail
- Check cluster health:
- Etcd:
etcdctl cluster-health
- PostgreSQL:
patronictl list
- Redis:
redis-cli info replication
- Etcd: