Cant start vault server with ha backend postges

Hey everyone,
I have configured my vault to use postgres backend and it works just fine.
I added ha_enabled = true; and ha_table.
added the ha_storage “postgresql” with the correct connection_url and table and when I try to start the vault with ha I get the error message:
“Specified HA storage has HA support disabled, please consult documentation”.
As much as I know postgres should be compatible with ha.

Is it a single instance (in postgresql “cluster”) or does it has a replica at minimum? I guess Vault did check for a postgresql ha enabled backend but only found a single instance. That’s what the error message looks like.

Specified HA storage has HA support disabled[…]

Note that before Vault 1.2, postgresql storage didn’t support HA. Even after 1.2, you must use a postgresql >= 9.5.

It is a cluster, configuration looks like this:

listener "tcp" {
    address = "0.0.0.0:8200"
    cluster_address = "127.0.0.1:8201"
    tls_cert_file = "/ssl/cert.cer"
    tls_key_file = "/ssl/key.key"
}

storage "postgresql" {
    connection_url="postgres://username:password@vault-pdb-1:5432/vaultdb?search_path=vaultschema&sslmode=disable"
    table="vault_kv_store"
    ha_enabled=true
    ha_table="vault_ha_locks"
}

ha_storage "postgresql" {
    connection_url="postgres://username:password@vault-pdb-2:5432/vaultdb?search_path=vaultschema&sslmode=disable"
    table="vault_kv_store"
}
ui=true
api_addr="https://0.0.0.0:8200"
cluster_addr="https://127.0.0.1:8201"

Note that the postgres is hosted on a different server than where I host the vault ui

The data replicates from the first postgres DB to the second one.
The vault works perfectly when ha is disabled (with postgres storage).

May I ask why you’re using different PG instances for storage and ha_storage? Sometimes there are good reasons for doing so, but usually it’s when the backend in storage doesn’t support HA.

I’m also concerned about your statement “The data replicates from the first postgres DB to the second one.” We’ve never tested using a PG HA backend in conjunction with PG replication. The expectation is that all Vault instances are connected to the same PG instance, and that all updates to the vault_kv_store are done by Vault instances only. It might work fine, just be aware you’re exploring new territory.

Im a bit confused,

both my PG instances are clustered (and configured inside the pg to replicate data between both instances).
In a case where my main pg is destroyed/wiped/burnt, How does the vault know to switch it’s storage to my second PG instance? isn’t that what ha is all about?

isn’t that what ha is all about?

This is a common confusion. For Vault, “HA storage” does not mean that the storage is highly available (although that’s of course desirable). What it means is that the storage provides mechanisms that Vault can use to make Vault highly available. Thus you can run multiple Vault instances and as soon as the active node ceases to be active, a standby node will take over.

Naturally, if the “HA storage” is not itself highly available, the fact that Vault is HA will only be of limited value. I’m not sure of a good way of doing that for PG that is known to work with Vault. That doesn’t mean there isn’t one, just that I don’t know.

Remember that the only storage backends officially supported by HashiCorp are Consul and Raft Integrated Storage. Everything else is community supported and YMMV.