Performance Secondary Raft Auto-snapshot

Avatar
Owen Zhang
  • Updated

Using Performance Replication to Handle Client Requests and Configure Snapshots in Vault

Vault's Performance Secondary clusters are designed to independently handle client requests while sharing essential configurations with their Performance Primary counterparts. These secondary clusters maintain their own tokens and leases but rely on the shared configuration, policies, and supporting secrets—such as key/value (K/V) data, encryption keys for transit, and more.

 

Performance Replication Overview

Performance Replication enables the secondary cluster to mirror the back-end configurations of the Performance Primary cluster. This includes authentication methods, secrets engines, and audit devices. However, the secondary cluster retains the flexibility to configure and manage its own auto-snapshot settings independently of the primary.

Since Performance Secondaries manage their own tokens and leases, having a separate auto-snapshot configuration is highly beneficial. This ensures that backups of the secondary cluster are well-maintained. While these snapshots capture local tokens and leases, the underlying shared configurations, policies, and supporting secrets remain consistent with the primary cluster.

 

Setting Up Raft Auto-Snapshot Configuration for the Secondary Cluster

To enable auto-snapshots for the Performance Secondary cluster, follow these steps:

  1. Log in with the Secondary Cluster’s Root Token
    Use the root token of the secondary cluster to access and configure the system.

  2. Unsealing and Root Token Requirements
    After activating the secondary cluster, you'll need to use the unseal or recovery keys from the primary cluster for specific operations, such as generating a new root token. If you’re unsure how to generate a root token using unseal keys, refer to the official Vault documentation.

  3. Configure Raft Auto Snapshots
    Once logged in, you can proceed to create the auto-snapshot configuration for the secondary cluster. The configuration captures backups at regular intervals and ensures adequate retention and storage management.

Example: Creating a Raft Auto-Snapshot Configuration

Here’s a sample command to configure auto-snapshots for the secondary cluster:

vault write sys/storage/raft/snapshot-auto/config/secondarysnap \ storage_type=local \ file_prefix=secondary \ interval=10m \ retain=7 \ local_max_space=1000000 \ path_prefix=/Users/owen/vault_pr/vault_B/snapshot
  • Parameters Explained:
    • storage_type=local: Specifies that snapshots will be stored locally.
    • file_prefix=secondary: Sets the file naming prefix for snapshots.
    • interval=10m: Captures snapshots every 10 minutes.
    • retain=7: Retains up to seven snapshots.
    • local_max_space=1000000: Allocates a maximum storage limit for snapshots.
    • path_prefix=/path/to/snapshot: Defines the directory where snapshots are stored.

Important Notes

  • Access Keys from the Primary Cluster: When operating a Performance Secondary, you may occasionally need unseal or recovery keys from the primary to perform critical actions like generating root tokens.
  • Backup Procedures: In addition to auto-snapshot configurations, standard Vault backup procedures can be used to ensure a comprehensive disaster recovery plan.

For more detailed steps and additional backup methods, refer to the Vault documentation. Once configured, your secondary cluster will maintain its independent snapshot backups while seamlessly synchronizing core configurations with the primary cluster.

References:

 

 

Articles in this section

See more

Related articles