Using Performance Replication to Handle Client Requests and Configure Snapshots in Vault
Vault's Performance Secondary clusters are designed to independently handle client requests while sharing essential configurations with their Performance Primary counterparts. These secondary clusters maintain their own tokens and leases but rely on the shared configuration, policies, and supporting secrets—such as key/value (K/V) data, encryption keys for transit, and more.
Performance Replication Overview
Performance Replication enables the secondary cluster to mirror the back-end configurations of the Performance Primary cluster. This includes authentication methods, secrets engines, and audit devices. However, the secondary cluster retains the flexibility to configure and manage its own auto-snapshot settings independently of the primary.
Since Performance Secondaries manage their own tokens and leases, having a separate auto-snapshot configuration is highly beneficial. This ensures that backups of the secondary cluster are well-maintained. While these snapshots capture local tokens and leases, the underlying shared configurations, policies, and supporting secrets remain consistent with the primary cluster.
Setting Up Raft Auto-Snapshot Configuration for the Secondary Cluster
To enable auto-snapshots for the Performance Secondary cluster, follow these steps:
-
Log in with the Secondary Cluster’s Root Token
Use the root token of the secondary cluster to access and configure the system. -
Unsealing and Root Token Requirements
After activating the secondary cluster, you'll need to use the unseal or recovery keys from the primary cluster for specific operations, such as generating a new root token. If you’re unsure how to generate a root token using unseal keys, refer to the official Vault documentation. -
Configure Raft Auto Snapshots
Once logged in, you can proceed to create the auto-snapshot configuration for the secondary cluster. The configuration captures backups at regular intervals and ensures adequate retention and storage management.
Example: Creating a Raft Auto-Snapshot Configuration
Here’s a sample command to configure auto-snapshots for the secondary cluster:
-
Parameters Explained:
-
storage_type=local
: Specifies that snapshots will be stored locally. -
file_prefix=secondary
: Sets the file naming prefix for snapshots. -
interval=10m
: Captures snapshots every 10 minutes. -
retain=7
: Retains up to seven snapshots. -
local_max_space=1000000
: Allocates a maximum storage limit for snapshots. -
path_prefix=/path/to/snapshot
: Defines the directory where snapshots are stored.
-
Important Notes
- Access Keys from the Primary Cluster: When operating a Performance Secondary, you may occasionally need unseal or recovery keys from the primary to perform critical actions like generating root tokens.
- Backup Procedures: In addition to auto-snapshot configurations, standard Vault backup procedures can be used to ensure a comprehensive disaster recovery plan.
For more detailed steps and additional backup methods, refer to the Vault documentation. Once configured, your secondary cluster will maintain its independent snapshot backups while seamlessly synchronizing core configurations with the primary cluster.
References:
- https://developer.hashicorp.com/vault/docs/commands/operator/generate-root
- https://developer.hashicorp.com/vault/tutorials/standard-procedures/sop-backup