|
1 | 1 | # Production Deployments |
2 | 2 |
|
3 | | -TODO (bacongobbler): rewrite for v2 |
| 3 | +When readying a Workflow deployment for production workloads, there are some additional |
| 4 | +recommendations. |
| 5 | + |
| 6 | + |
| 7 | +## Running Workflow without Minio |
| 8 | + |
| 9 | +Workflow makes use of [Minio][] to provide storage for the [Registry][], [Database][], and |
| 10 | +[Logger][] components. Minio is provided out of the box as a central storage compartment, but it is |
| 11 | +not resilient to cluster outages. If Minio is shut down, all data is lost. |
| 12 | + |
| 13 | +In production, persistent storage can be achieved by running an external S3-compatible blob store. |
| 14 | +For users on AWS, the convenience of Amazon S3 and make the prospect of running a Minio-less |
| 15 | +Workflow cluster quite reasonable. |
| 16 | + |
| 17 | +Running a Workflow cluster without Minio provides several advantages: |
| 18 | + |
| 19 | + - Removal of state from the worker nodes |
| 20 | + - Reduced resource usage |
| 21 | + - Reduced complexity and operational burden of managing Workflow |
| 22 | + |
| 23 | +See [Configuring Object Storage][] for details on removing this operational complexity. |
| 24 | + |
| 25 | + |
| 26 | +## Review Security Considerations |
| 27 | + |
| 28 | +There are some additional security-related considerations when running Workflow in production, and |
| 29 | +users can consider enabling a firewall on the CoreOS hosts as well as the router component. |
| 30 | + |
| 31 | +See [Security Considerations][] for details. |
| 32 | + |
| 33 | + |
| 34 | +## Change Registration Mode |
| 35 | + |
| 36 | +Changing the registration process is highly recommended in production. By default, registrations |
| 37 | +for a new cluster are open to anyone with the proper URL. Once the admin user has registered with a |
| 38 | +new cluster, it is recommended to either turn off registrations or enable the admin-only |
| 39 | +registration feature. |
| 40 | + |
| 41 | +Please see the following documentation: [Customizing Controller][] |
| 42 | + |
| 43 | + |
| 44 | +## Enable TLS |
| 45 | + |
| 46 | +Using TLS to encrypt traffic (including Workflow client traffic, such as login credentials) is |
| 47 | +crucial. See [Platform SSL][] for the platform. |
| 48 | + |
| 49 | + |
| 50 | +[configuring object storage]: ../installing-workflow/configuring-object-storage.md |
| 51 | +[customizing controller]: ../customizing-workflow/tuning-component-settings.md#customizing-the-controller |
| 52 | +[database]: ../understanding-workflow/components.md#database |
| 53 | +[logger]: ../understanding-workflow/components.md#logger |
| 54 | +[minio]: ../understanding-workflow/components.md#minio |
| 55 | +[platform ssl]: platform-ssl.md |
| 56 | +[registry]: ../understanding-workflow/components.md#registry |
| 57 | +[security considerations]: security-considerations.md |
0 commit comments