mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-07 22:37:40 +00:00
docs: typos in production checklist (#5155)
* docs: typos and consistent starts of checklist * docs: typos and consistent starts of checklist * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> * Update docs/docs/self-hosting/manage/productionchecklist.md Co-authored-by: Florian Forster <florian@zitadel.com> --------- Co-authored-by: Florian Forster <florian@zitadel.com>
This commit is contained in:
parent
9b2bf3c2de
commit
4486bf8529
@ -7,20 +7,19 @@ To apply best practices to your production setup we created a step by step check
|
||||
|
||||
### Infrastructure Configuration
|
||||
|
||||
- [ ] make use of configmanagement such as Terraform to provision all of the below
|
||||
- [ ] use version control to store the provisioning
|
||||
- [ ] use a secrets manager to save your sensible informations
|
||||
- [ ] reduce the manual interaction with your platform to an absolute minimum
|
||||
- [ ] Make use of configuration management tools such as Terraform to provision all of the below
|
||||
- [ ] Use a secrets manager to store your confidential information
|
||||
- [ ] Reduce the manual interaction with your platform to an absolute minimum
|
||||
#### HA Setup
|
||||
- [ ] High Availability for ZITADEL containers
|
||||
- [ ] use container orchestrator such as Kubernetes or
|
||||
- [ ] use serverless architecture such as Knative or a hyperscaler equivalent (e.g. CloudRun from Google)
|
||||
- [ ] separate `zitadel init` and `zitadel setup` for fast startup times when [scaling](/docs/self-hosting/manage/updating_scaling) ZITADEL
|
||||
- [ ] Use a container orchestrator such as Kubernetes
|
||||
- [ ] Use serverless platform such as Knative or a hyperscaler equivalent (e.g. CloudRun from Google)
|
||||
- [ ] Split `zitadel init` and `zitadel setup` for fast start-up times when [scaling](/docs/self-hosting/manage/updating_scaling) ZITADEL
|
||||
- [ ] High Availability for database
|
||||
- [ ] follow the [Production Checklist](https://www.cockroachlabs.com/docs/stable/recommended-production-settings.html) for CockroachDB if you selfhost the database or use [CockroachDB cloud](https://www.cockroachlabs.com/docs/cockroachcloud/create-an-account.html)
|
||||
- [ ] configure backups on a regular basis for the Database
|
||||
- [ ] test a restore scenario before going live
|
||||
- [ ] secure database connections from outside your network and/or use an internal subnet for database connectivity
|
||||
- [ ] Follow the [Production Checklist](https://www.cockroachlabs.com/docs/stable/recommended-production-settings.html) for CockroachDB if you selfhost the database or use [CockroachDB cloud](https://www.cockroachlabs.com/docs/cockroachcloud/create-an-account.html)
|
||||
- [ ] Configure backups on a regular basis for the database
|
||||
- [ ] Test the restore scenarios before going live
|
||||
- [ ] Secure database connections from outside your network and/or use an internal subnet for database connectivity
|
||||
- [ ] High Availability for critical infrastructure components (depending on your setup)
|
||||
- [ ] Loadbalancer
|
||||
- [ ] [Reverse Proxies](https://zitadel.com/docs/self-hosting/manage/reverseproxy/reverse_proxy)
|
||||
@ -28,33 +27,33 @@ To apply best practices to your production setup we created a step by step check
|
||||
|
||||
#### Networking
|
||||
- [ ] Use a Layer 7 Web Application Firewall to secure ZITADEL that supports **[HTTP/2](/docs/self-hosting/manage/http2)**
|
||||
- [ ] secure the access by IP if needed
|
||||
- [ ] secure the access by rate limits for specific endpoints (e.g. API vs frontend) to secure availability on high load. See the [ZITADEL Cloud rate limits](https://zitadel.com/docs/apis/ratelimits) for reference.
|
||||
- [ ] doublecheck your firewall for IPv6 connectivity and change accordingly
|
||||
- [ ] Limit the access by IP addresses if needed
|
||||
- [ ] Secure the access by rate limits for specific endpoints (e.g. API vs frontend) to secure availability on high load. See the [ZITADEL Cloud rate limits](https://zitadel.com/docs/apis/ratelimits) for reference.
|
||||
- [ ] Check that your firewall also filters IPv6 traffic```
|
||||
|
||||
### ZITADEL configuration
|
||||
- [ ] configure a valid [SMTP Server](/docs/guides/manage/console/instance-settings#smtp) and test emails
|
||||
- [ ] Configure a valid [SMTP Server](/docs/guides/manage/console/instance-settings#smtp) and test the email delivery
|
||||
- [ ] Add [Custom Branding](/docs/guides/manage/customize/branding) if required
|
||||
- [ ] configure a valid [SMS Service](/docs/guides/manage/console/instance-settings#sms) such as Twilio if needed
|
||||
- [ ] configure your privacy policy, terms of service and a help Link if needed
|
||||
- [ ] secure your [masterkey](https://zitadel.com/docs/self-hosting/manage/configure)
|
||||
- [ ] declare and apply zitadel configuration using the zitadel terraform [provider](https://github.com/zitadel/terraform-provider-zitadel)
|
||||
- [ ] Configure a valid [SMS Service](/docs/guides/manage/console/instance-settings#sms) such as Twilio if needed
|
||||
- [ ] Configure your privacy policy, terms of service and a help Link if needed
|
||||
- [ ] Keep your [masterkey](https://zitadel.com/docs/self-hosting/manage/configure) in a secure storage
|
||||
- [ ] Declare and apply zitadel configuration using the zitadel terraform [provider](https://github.com/zitadel/terraform-provider-zitadel)
|
||||
|
||||
### Security
|
||||
- [ ] use a FQDN and a trusted valid certificate for external [TLS](/docs/self-hosting/manage/tls_modes#http2) connections
|
||||
- [ ] make use of different service accounts to secure ZITADEL within your hyperscaler or Kubernetes
|
||||
- [ ] make use of a CDN service if needed to ease maintainability and firewall/DNS/WAF configuration
|
||||
- [ ] make use of a [security scanner](https://owasp.org/www-community/Vulnerability_Scanning_Tools) to test your application and cluster
|
||||
- [ ] Use a FQDN and a trusted valid certificate for external [TLS](/docs/self-hosting/manage/tls_modes#http2) connections
|
||||
- [ ] Create service accounts for applications that interact with ZITADEL's APIs
|
||||
- [ ] Make use of a CDN service to decrease the load for static assets served by ZITADEL
|
||||
- [ ] Make use of a [security scanner](https://owasp.org/www-community/Vulnerability_Scanning_Tools) to test your application and deployment environment
|
||||
|
||||
### Monitoring
|
||||
Use an appropriate monitoring solution to have an overview about your ZITADEL instance. In particular you may want to watch out for things like:
|
||||
|
||||
- [ ] CPU and memory of ZITADEL and the database
|
||||
- [ ] open database connections
|
||||
- [ ] running instances of ZITADEL and the database
|
||||
- [ ] latency of requests
|
||||
- [ ] requests per second
|
||||
- [ ] requests by URL/endpoint
|
||||
- [ ] lifetime of TLS certificates
|
||||
- [ ] Open database connections
|
||||
- [ ] Running instances of ZITADEL and the database
|
||||
- [ ] Latency of requests
|
||||
- [ ] Requests per second
|
||||
- [ ] Requests by URL/endpoint
|
||||
- [ ] Lifetime of TLS certificates
|
||||
- [ ] ZITADEL and database logs
|
||||
- [ ] ZITADEL [metrics](/docs/apis/observability/metrics)
|
||||
|
Loading…
x
Reference in New Issue
Block a user