Fix: Configure registry notifications only on primary sites in Geo

Michael Kozonorequested to merge
duo-edit-20251212-023439 into master

Problem

Secondary sites in a Geo deployment were incorrectly configured to send registry notifications to the primary site, resulting in 401 Unauthorized errors.

Solution

Modified the global.geo.registry.syncNotifier template to only configure the registry notifier on primary sites with registry replication enabled, not on secondary sites.

Changes:

  1. Code fix (templates/_registry.tpl): Updated the condition to check:

    • Geo is enabled AND
    • The site is NOT a secondary site AND
    • Registry replication is enabled

    This ensures:

    • Only primary sites with replication enabled have the geo_event endpoint configured
    • Secondary sites will have empty endpoints (no notifications), preventing unwanted notification attempts
    • The notification secret is only required when actually needed

  2. Documentation update (doc/charts/registry/_index.md): Clarified the Geo registry replication configuration

    • Clarified that the primary site configuration needs the notification secret as well

Related Issues

Closes #5948

Edited by Michael Kozono

Merge request reports