Difficulty: beginner
Estimated Time: 10 minutes

Vault logo

In most common scenarios, you configure the Vault server to use a storage backend that supports high availability (HA); therefore, the storage backend stores the Vault data while maintaining the HA coordination. However, not all storage backends support HA (e.g. Amazon S3, Cassandra, MSSQL). In some cases, you may need to use a storage backend that does not have HA support which means that you can only have a single-node Vault deployment instead of an HA cluster.

When you need to use a storage backend that does not support HA, ha_storage stanza can be specified along with the storage stanza in the Vault server configuration to handle the HA coordination. By doing so, you can add additional Vault nodes for fault tolerance.

NOTE: To use Vault integrated storage as the ha_storage, you must run Vault 1.5 or later.

Raft HA Storage

Step 1 of 4

Setup a single node Vault environment


Wait until the initial setup completes before start.


You have a Vault server which uses filesystem as its storage backend. Since filesystem storage backend does not support HA, you have a single node deployment.

Scenario

Start Vault Server 1 (node1)

Click on the command () will automatically copy it into the terminal and execute it.

clear

First review the server configuration file, config-node1.hcl.

The storage stanza is set to use file.

Enter the following command to start the node1 Vault server.

mkdir vault-storage-file
vault server -config=config-node1.hcl

Click the + next to the opened Terminal, and select Open New Terminal.

New Terminal

In the Terminal 2, set the VAULT_ADDR environment variable to point to http://127.0.0.1:8210.

export VAULT_ADDR="http://127.0.0.1:8210"

The server status shows that HA Enabled is false since file storage backend does not support HA.

vault status

Stop the Vault server.

ps aux | grep "vault server" | grep -v grep | awk '{print $2}' | xargs kill


Update the server configuration

When you need to use a storage backend that does not support HA, ha_storage stanza can be specified along with the storage stanza in the Vault server configuration to handle the HA coordination. By doing so, you can add additional Vault nodes for fault tolerance.

NOTE: The ha_storage must be an HA-supporting storage backend.

Open config-node1.hcl and add raft as your ha_storage for node1.

# Use the file system as storage backend
ha_storage "raft" {
  path    = "/home/scrapbook/tutorial/raft-node1/"
  node_id = "node1"
}

Now, start node1 with updated server configuration.

mkdir raft-node1
vault server -config=config-node1.hcl

The server status shows that HA Enabled is true.

vault status

Execute the vault operator init command to initialize node1.

vault operator init -key-shares=1 -key-threshold=1 > key.txt

NOTE: For the simplicity, setting the number of unseal keys to 1 as well as the key threshold, and storing the generated unseal key and initial root token in a local file named, key.txt.

Unseal node1 with unseal key.

vault operator unseal $(grep 'Key 1:' key.txt | awk '{print $NF}')

In Terminal, wait until you see core: post-unseal setup complete message in the system log.

...
[INFO]  core.raft: creating new raft TLS config
[INFO]  core: usage gauge collection is disabled
[INFO]  core: post-unseal setup complete

Now, node1 is ready!

Log into Vault using the initial root token (key.txt):

vault login $(grep 'Initial Root Token:' key.txt | awk '{print $NF}')

Execute the following command to view the node1's Raft cluster configuration.

vault operator raft list-peers
Node     Address           State     Voter
----     -------           -----     -----
node1    127.0.0.1:8211    leader    true

You successfully enabled HA storage to store the HA coordination information.