Health check uri in vault

s2lee · March 5, 2022, 7:03am

Vault ha is being constructed, I will inquire about health check.

composition :
3 Consul Servers.
2 vault servers (consul clients).
Consul is only being used for vault storage.
By configuring the lb in front of the vault, the vault can be accessed with the lb ip.

When configuring the lb, I set the health check to /v1/sys/init.
When decrypting while encryption/decryption is in progress, api request fail occurs.

I belatedly found out about health check with /sys/health, will health check uri affect it?

I don’t know the difference between /v1/sys/health and /v1/sys/init…

Also, I want to test perfstandbyok=true among the parameters of /sys/health.
When /sys/health?perfstandbyok=true is set, when curling in the vault, code 429 appears on the standby node. I think 200 should float.
If the corresponding parameter is set, is it normal when 200 appears on the standby node?

Is my parameter setting wrong?

I don’t quite understand the health check related documents.
Guess I’m too stupid!

Please add a comment!

aram · March 5, 2022, 8:43am

If you’re building a HA environment, which from the look of you are, your node counts is not the recommended. If possible, I’d pump the consul servers to 5 servers, and a minimum of 3 vault nodes – you don’t want an even number of nodes.

Depending on the size of your environment and number of requests using Vault with Integrated Storage (3 or 5 nodes) is the other choice that I’d happily recommend along with the vault+consul route.

Healthchecks on Vault should be against sys/health. We use perfstandbyok=true on port 443 on the LB, and on 8200/8201 we only point to master for DR replication. One important note is that the LB should be SSL pass through so that the connection terminates at the node.

s2lee · March 6, 2022, 1:51am

When /sys/health?perfstandbyok=true, code 429 is returned, is this correct?

Isn’t the 200 return correct?

[azureuser@vault02 ~]$ curl -vk http://127.0.0.1:8200/v1/sys/health?perfstandbyok=true

Trying 127.0.0.1…
TCP_NODELAY set
Connected to 127.0.0.1 (127.0.0.1) port 8200 (#0)

GET /v1/sys/health?perfstandbyok=true HTTP/1.1
Host: 127.0.0.1:8200
User-Agent: curl/7.61.1
Accept: /

< HTTP/1.1 429 Too Many Requests
< Cache-Control: no-store
< Content-Type: application/json
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Date: Sun, 06 Mar 2022 01:47:51 GMT
< Content-Length: 291
<
{“initialized”:true,“sealed”:false,“standby”:true,“performance_standby”:false,“replication_performance_mode”:“unknown”,“replication_dr_mode”:“unknown”,“server_time_utc”:1646531271,“version”:“1.9.4”,“cluster_name”:“vault-cluster-81c7bfca”,“cluster_id”:“c4138c51-13d7-a1ef-bb24-d9097ee533b1”}

aram · March 6, 2022, 10:38am

Well two things:

A) You’re getting a valid response 429 = if unsealed and standby

B) The reason you’re not getting a 200 is that bash is dropping the rest of the line after ?parameter. Need to wrap the whole URL in quotes to prevent bash from messing with it.

C) Obviously using 127.0.0.1 is not a good test … use the routable IP address when testing.

s2lee · March 7, 2022, 1:17am

Thank you for answer!

That node is a standby node.

I understood that if I set the perfstandbyok=true parameter, the standby node also returns a 200 code.

Even if the corresponding parameter is set, is it correct that the standby node returns 429 code?

Isn’t it 200 code??

aram · March 7, 2022, 9:01am

See the “if unsealed and standby” link.