SPIRE High Availability

This page provides details on the high availability (HA) options for deploying SPIRE.

Regardless of the SPIRE server flavour, the way to enable HA is to increase the number of replicas, represented by spire-server.replicaCount in the Helm chart values, beyond 1, e.g., for setting the number of replicas to 2:

spire-server:
  replicaCount: 2

Cofide SPIRE Server HA

Cofide SPIRE Server has been designed with HA in mind. Currently, this requires a shared upstream Certificate Authority (CA) among servers for the same trust domain. Support for alternative CA deployment patterns (e.g., self-signed CAs) will be provided in a future release.

OSS SPIRE Server HA

OSS SPIRE Server HA is discussed in the OSS SPIRE docs. It is more demanding than that of Cofide SPIRE Server as it requires a shared, highly-available database server (datastore) to be provisioned upfront.

Important

We strongly recommend users wishing to run a highly-available SPIRE server setup to use the Cofide SPIRE Server.

SPIRE agents HA

SPIRE agents are deemed highly-available (at the cluster level) out of the box. Each node runs its SPIRE agent independently and agent’s lifecycle is strictly bound to the lifecycle of the node.

If the SPIRE agent on a particular node fails, then SPIFFE workloads cannot have new SVIDs issued and new SPIFFE workloads cannot establish trust. Existing workloads, however, have a high chance of being able to continue to operate normally because of the caching employed in SPIFFE workload implementations (normally until the SVID expires).

More details on the SPIRE agents operation can be found in SPIRE docs.