I have 3 servers and on each is one consul server, consul client and vault. Vault use as a backend consul storage. Of course vault data is stored in consul kv. I did replication between three data centers. But i had the problem: Replication work only for consul roles, tokens and politics. I tried to set up two backends in vault. One backend was consul, second was raft , but i got error that only one backend might be used.
So, how can i do replication KV in consul? Is there a way to do this at this stage of development consul? Or it can only be done in enterprise version?
What do you mean by replication? If your nodes are in the same cluster they’ll auto-replicate against each other.
Enterprise gives you HA, which will let you replicate a whole cluster to another cluster (that’s dark) and has to be made primary to be active.
Okay, i will try to describe it differently.
Each server represents a separate datacenter. Each data center has a consul server and a vault storage. Vault uses the consul as storage. These data centers are replicated among themselves, but only the policy tokens and the consul role are replicated there. And I want to replicate kv vault storage. So that each server has a vault and in the event of a server crash, I had at least 2 more vults.
It really doesn’t matter, but if your DC is replicated (I’m assuming you mean the storage is replicated, then you’re fine. You don’t need to replicate at the application level as well.
You can’t "just’ replicate part of the storage, not using the official replication tools.
This isn’t replication anymore. this is redundency within the datacenter. Redundency is very easy and built into Vault and Consul. You can setup Consul clusters by adding more consul nodes with the same cluster name, having a unique name, they’ll join together and replicate each others data so that each contains a full copy.
Vault’s also works this way, as long as they can see each other and use port 8201 then they’ll act together and elect a leader and standby nodes, if the leader become unresponsive, one of the standby nodes will take over. You can use a Load Balancer across all of your vault nodes on 8200 to make them all available on a single VIP.
What kind of tools you mean?
You have to write your own, pull and push the secrets as often as you need.
Thanks for answer. I’ve got success when it solved using consul-replicate, but how i understand, it can’t replicated ssh storage.