Vault allows the performance secondary cluster to handle client requests, this secondary keep track of their own tokens and leases but share the underlying configuration, policies, and supporting secrets (K/V values, encryption keys for transit, etc).
Performance Replication mirrors the configuration of its Performance Primary cluster’s backends (i.e., auth methods, secrets engines, audit devices, etc.). However, Performance Replication is able to keep its own separate auto-snapshot configuration. Since Performance Replication keep track of their own tokens and leases, it could be beneficial to have its own snapshot for backing up Vault. Other stored underlying shared configuration, policies, and supporting secrets from snapshot will be remained as same as its primary.
- Login with performance secondary's root token from Secondary to set up raft auto snapshot config.
Quick note: After the secondary is activated, it will need to use the unseal or recovery keys from the Primary to generate a new root token or performing other commands that require unseal or recovery keys. Please refer to this tutorial on how to generate root token using unseal key.
- Then operator can go ahead with creating a new raft auto snapshot config. Other Vault standard backup procedure can be found from here.
❯ vault write sys/storage/raft/snapshot-auto/config/secondarysnap \
storage_type=local \
file_prefix=secondary \
interval=10m \
retain=7 \
local_max_space=1000000 \
path_prefix=/Users/owen/vault_pr/vault_B/snapshot
Success! Data written to: sys/storage/raft/snapshot-auto/config/secondarysnap