- How scalable is that? The architecture page reads that the followers can be scaled horizontally. What are the criteria?
As long as you have seed-fetching configured so that Follower pods can self-initialize, you can use the built-in deployment scaling in OCP. Follower configuration and startup can take anywhere from 30 seconds to several minutes depending on the number of secrets that are needed to be replicated from the Leader. I’ve never setup autoscaling rules (e.g. monitoring CPU load), I’ve just used it for the ability to add more replicas via the UI (up arrow for more, down arrow for less).
- How often do the Conjur followers in Kubernetes/Openshift refresh the secrets?
The Conjur Leader replicates any changes made to it to Followers within a few hundred milliseconds.
- a. Can application teams manage their own Conjur namespace?
Yes, we have reference policy models for exactly this.
- b. Would the readonly Postgres DB contain all secrets available in master or are the secrets in the readonly namespace restricted to secrets under a Conjur policy?
All Followers are equal by design and contain a full encrypted copy of the Leader’s contents. The goal of that is so an app can connect to any Follower to get its secrets, but only the secrets the app is allowed to access. This also allows Followers to run behind load balancers without requiring any particular affinity rules, be swapped out without regard to their contents, and other aspects that ease administration of the solution.