Difficulty: beginner
Estimated Time: 10 minutes

Vault logo

This hands-on exercise will walk you through the basic administrative operations for integrated storage. You are going to deploy an HA Vault cluster using integrated storage.


Additional resources on Vault's Integrated Storage

Integrated Storage

Step 1 of 5

Scenario Introduction


Wait until the initial setup completes before start.

In this tutorial, you are going to create a highly available (HA) Vault cluster using the integrated storage backend as its persistent storage.

For the purpose of demonstration, you are going to run 3 Vault server instances each listens to a different port: node1 listens to port 8200, node2 listens to port 2200 and node3 listens to port 3200.


Start Vault Server 1 (node1)

First review the server configuration file, config-node1.hcl.

storage "raft" {
  path    = "/home/scrapbook/tutorial/raft-node1/"
  node_id = "node1"
}

listener "tcp" {
  address = "127.0.0.1:8200"
  cluster_address = "127.0.0.1:8201"
  tls_disable = true
}

disable_mlock = true
api_addr = "http://127.0.0.1:8200"
cluster_addr = "http://127.0.0.1:8201"

The storage stanza is set to use raft which is the integrated storage. The path specifies the filesystem path where the data gets stored. The node_id sets the identifier for this node in the cluster. In this case, the node ID is node1.

Enter the following command to start the node1 Vault server.

Click on the command () will automatically copy it into the terminal and execute it.

mkdir raft-node1
vault server -config=config-node1.hcl

Scroll up the Terminal to locate the following output:

==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: raft (HA available)
                 Version: Vault v1.4.2

==> Vault server started! Log data will stream in below:

Now, you need to initialize and unseal the Vault server (node1).


Initialize and Unseal node1

Click the + next to the opened Terminal, and select Open New Terminal.

New Terminal

In the Terminal 2, set the VAULT_ADDR environment variable:

export VAULT_ADDR='http://127.0.0.1:8200'

Now, execute the vault operator init command to initialize the node1:

vault operator init -key-shares=1 -key-threshold=1 > key.txt

NOTE: For the simplicity, setting the number of unseal keys to 1 as well as the key threshold, and storing the generated unseal key and initial root token in a local file named, key.txt.

Execute the vault operator unseal command to enter unseal node1:

vault operator unseal $(grep 'Key 1:' key.txt | awk '{print $NF}')
Key                    Value
---                    -----
Seal Type              shamir
Initialized            true
Sealed                 false
Total Shares           1
Threshold              1
...

Return to the first Terminal and examine the server log.

Notice that right after node1 was unsealed, it first goes into standby mode.

...
[INFO]  core: vault is unsealed
[INFO]  storage.raft: entering follower state: follower="Node at 127.0.0.1:8201 [Follower]" leader=
[INFO]  core: entering standby mode
[WARN]  storage.raft: heartbeat timeout reached, starting election: last-leader=
...

Since node1 is currently the only cluster member, it gets elected to be the leader.

...
[INFO]  storage.raft: entering candidate state: node="Node at 127.0.0.1:8201 [Candidate]" term=2
[INFO]  storage.raft: election won: tally=1
[INFO]  storage.raft: entering leader state: leader="Node at 127.0.0.1:8201 [Leader]"
[INFO]  core: acquired lock, enabling active operation
[INFO]  core: post-unseal setup starting
...

Now, node1 is ready!


Log into Vault using the initial root token (key.txt):

vault login $(grep 'Initial Root Token:' key.txt | awk '{print $NF}')

Execute the following command to view the node1's Raft cluster configuration.

vault operator raft list-peers
Node     Address           State     Voter
----     -------           -----     -----
node1    127.0.0.1:8201    leader    true

At this point, node1 is the only cluster member; therefore, it becomes the leader by default.

This tab will not be visible to users and provides only information to help authors when creating content.

Creating Katacoda Scenarios

Thanks for creating Katacoda scenarios. This tab is designed to help you as an author have quick access the information you need when creating scenarios.

Here are some useful links to get you started.

Running Katacoda Workshops

If you are planning to use Katacoda for workshops, please contact [email protected] to arrange capacity.

Debugging Scenarios

Below is the response from any background scripts run or files uploaded. This stream can aid debugging scenarios.

If you still need assistance, please contact [email protected]