Can I run multiple Vault nodes with non-HA supported storage backend?
74 views
Skip to first unread message
Suresh
Aug 7, 2019, 12:20:00 PM8/7/19
to Vault
Hi,
I am planning to use PostGreSQL as the storage backend with multiple (2-3) Vault instances/nodes.
Since I'm using an older version of Vault and due to some other design reasons I cannot enable HA.
My question is if there's a likelihood to run into issues related to data inconsistency or integrity when running a setup like that.
Any other issues likely due to running multiple vaults in non-HA mode talking to Postgres?
Thanks for the help!
Nick Cabatoff
Aug 7, 2019, 12:31:09 PM8/7/19
to vault...@googlegroups.com
Hi Suresh,
If you're looking to run multiple independent Vault instances writing to different tables in the same PostgreSQL instance, that should be fine. If you're looking to somehow share data between those Vaults, you're going to have problems.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f7cb1a43-5fa0-4e26-bb4e-699cf2a95e37%40googlegroups.com.
Clint Shryock
Aug 7, 2019, 12:36:54 PM8/7/19
to vault...@googlegroups.com
Hey Suresh - in addition to what Nick said, while you are very likely have problems with multiple nodes sharing a non-HA storage backend, you can optionally setup and use an HA storage backend just for coordinating the HA setup. See the "ha_storage" configuration block here:
The list of supported storage backends is here, you'll need to inspect each one to know if it supports HA or not:
So for an example, you could use Postgres for storage, but configure your vault nodes to use a DynamoDB table to coordinate the HA setup:
Let us know if that answers your question(s)
Cheers,
Clint
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAF%3DRO8%2Bpj9zB0JennxGqo805joDi-guQ965tTySv06j-YG0x6Q%40mail.gmail.com.
Suresh
Aug 7, 2019, 12:45:42 PM8/7/19
to Vault
Thanks for the response Nick and Clint.
Yes, I'm planning to run multiple Vaults that share the data between them using the same Postgres table.
Can someone please list a couple of situations in which I'll run into issues?
I am running a setup on my end with some traffic and see if I run into obvious issues.
I like the idea of "ha_storage" and I'll explore that too. But I want something on-premise and my options seem pretty limited.
Do you know if I can use a different table in Postgres for HA so I don't have to setup another backend?
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/f7cb1a43-5fa0-4e26-bb4e-699cf2a95e37%40googlegroups.com.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
Stuart Clark
Aug 7, 2019, 1:10:13 PM8/7/19
to Suresh, Vault
The HA in Vault consists of a single master and a number of standby nodes which basically do nothing until the master fails. Therefore it's vital you only have a single master (otherwise you'd likely have data consistency and corruption issues).
The HA enabled backends have a mechanism to ensure you only have a single master. If you can't use one (or the mentioned additional HA mechanism) you should ensure that you manually only have a single instance running - you won't have full HA as you'd have to start up another node if there is a failure, so there may be a few minutes of downtime.
The HA enabled backends have a mechanism to ensure you only have a single master. If you can't use one (or the mentioned additional HA mechanism) you should ensure that you manually only have a single instance running - you won't have full HA as you'd have to start up another node if there is a failure, so there may be a few minutes of downtime.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Nick Cabatoff
Aug 7, 2019, 2:11:59 PM8/7/19
to vault...@googlegroups.com
Stuart and Clint are right on all counts. I have to admit I'm curious: what prevents you from upgrading to Vault 1.2?
On Wed, Aug 7, 2019 at 12:45 PM Suresh <mrsuresh...@gmail.com> wrote:
Thanks for the response Nick and Clint.Yes, I'm planning to run multiple Vaults that share the data between them using the same Postgres table.Can someone please list a couple of situations in which I'll run into issues?I am running a setup on my end with some traffic and see if I run into obvious issues.I like the idea of "ha_storage" and I'll explore that too. But I want something on-premise and my options seem pretty limited.Do you know if I can use a different table in Postgres for HA so I don't have to setup another backend?
That's exactly what the Postgres HA support in 1.2 does.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/3b9f0210-27d0-46f4-aea3-e33e8fba46db%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages