Vault ha is being constructed, I will inquire about health check.
composition :
3 Consul Servers.
2 vault servers (consul clients).
Consul is only being used for vault storage.
By configuring the lb in front of the vault, the vault can be accessed with the lb ip.
When configuring the lb, I set the health check to /v1/sys/init.
When decrypting while encryption/decryption is in progress, api request fail occurs.
I belatedly found out about health check with /sys/health, will health check uri affect it?
I don’t know the difference between /v1/sys/health and /v1/sys/init…
Also, I want to test perfstandbyok=true among the parameters of /sys/health.
When /sys/health?perfstandbyok=true is set, when curling in the vault, code 429 appears on the standby node. I think 200 should float.
If the corresponding parameter is set, is it normal when 200 appears on the standby node?
Is my parameter setting wrong?
I don’t quite understand the health check related documents.
Guess I’m too stupid!
If you’re building a HA environment, which from the look of you are, your node counts is not the recommended. If possible, I’d pump the consul servers to 5 servers, and a minimum of 3 vault nodes – you don’t want an even number of nodes.
Depending on the size of your environment and number of requests using Vault with Integrated Storage (3 or 5 nodes) is the other choice that I’d happily recommend along with the vault+consul route.
Healthchecks on Vault should be against sys/health. We use perfstandbyok=true on port 443 on the LB, and on 8200/8201 we only point to master for DR replication. One important note is that the LB should be SSL pass through so that the connection terminates at the node.
B) The reason you’re not getting a 200 is that bash is dropping the rest of the line after ?parameter. Need to wrap the whole URL in quotes to prevent bash from messing with it.
C) Obviously using 127.0.0.1 is not a good test … use the routable IP address when testing.