CRL regenerated on every replica in multi-instance setup

[kudiyarov]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Hello!
Setting crl.enabled: true in ca.json config file turns on generating CRL data every crl.cacheDuration interval.
Running step-ca in several replicas, e.g. as k8s deployment with >=2 pods, causes CRL generation on each replica at the same time.
For instance, some log messages from pod1:

2023/04/16 15:16:35 Regenerating CRL
2023/04/16 16:36:35 Regenerating CRL
2023/04/16 17:56:35 Regenerating CRL

and from pod2:

2023/04/16 15:16:26 Regenerating CRL
2023/04/16 16:36:26 Regenerating CRL
2023/04/16 17:56:26 Regenerating CRL

Why is this needed?

Looks like step-ca does double work here. Is it possible to implement "Lock Acquire" logic here, e.g. by pasting special data to existing DB?

[dopey]

Hey @kudiyarov 👋. Thanks for opening the issue!

The CRL support in open source is not our (Smallstep's) recommended CRL implementation. Our recommended CRL support is implemented in our hosted platform (smallstep.com).

This means that while we won't be removing or deprecating CRL support in open source, we don't plan to add new features or bug fix - at least not in the short term. Our reasoning here is that we do not want to support two CRL implementations (platform and open source).

[dopey]

A workaround suggested by the team would be to change the ca.json on the non-master step-ca instances to remove the CRL configuration. This way it would only be served and regenerated by one instance.

[kudiyarov]

A workaround suggested by the team would be to change the ca.json on the non-master step-ca instances to remove the CRL configuration. This way it would only be served and regenerated by one instance.

yeah, but this is quite tricky to implement this in installations like k8s, where config is specified for whole deployment (not per pod).
Anyway, I got your point, thank You!