How does Vault behave in non-HA mode with several instances?

[Michael D.]

Hello,

we try to dig into the Vault topic and currently started to experiement with the Vault installation on kubernetes using http://storage.googleapis.com/kubernetes-charts-incubator incubator/vault.

Just for testing purpose we used a S3 storage. But according to https://www.vaultproject.io/docs/concepts/ha.html , we will need a HA supported backend to get Vaul in HA mode:

To be highly available, one of the Vault server nodes grabs a lock within the data store. The successful server node then becomes the active node; all other nodes become standby nodes. At this point, if the standby nodes receive a request, they will either forward the request or redirect the client depending on the current configuration and state of the cluster -- see the sections below for details.

We wonder, what is currently happening, as the installation created three pods, and we unsealed them.

We didn't found so far nothing, that would explain, how Vault behaves, if HA is disabled and several pods/instances are running.

So we would like to understand, how Vault is working in that setup and which flaws, that one has. For sure, we want to have HA, as this system will be a crucial component, but we would like to understand Vault better.

Regards,
Michael

[mic...@hashicorp.com]

Hi Michael,

a storage backend which supports HA can create a lock inside of the backend. This lock is used to determine the active node (e.g. to find the leader).

If multiple Vault instances are using the same storage backend without HA, data corruption or loss can be the result.

Cheers,

Michel 

[Michael D.]

Hi Michel,

thanks! That was exact the sentence I needed to understand the impact better.

Regards,

Michael