Migrating Postgres Backend to a new cluster with Raft Storage

karthmnz · May 9, 2022, 8:31pm

Hello,

I am trying to migrate vault data entirely from a Postgres backend in an old cluster to a new HA cluster with Raft Storage. The Enterprise version has a great DR option. Unfortunately, I am bound to use the Open Source version.

The docs talk only Consul and Integrated Storage but it’s not clear for Postgres.
What would be the recommended way to perform this migration? Could you please explain the steps I may need to follow?

I am thinking to have something like

storage_source "postgres" {
**Postgres db connection details**
}

storage_destination "raft" {
  path = "/vault/raft/"
  node_id = "node_1"
}

cluster_addr = "https://10.0.101.22:8201"

But will performing a migration still leave the vault data intact in the Postgres backend upon migration to the new cluster?

Has anyone attempted this before? Any pain points I should be aware of?

Thanks in advance for the help!

maxb · May 9, 2022, 8:41pm

Yes, migration leaves the source cluster intact.

Be aware that you must shut down the source Vault server(s) whilst running migration. If you do not, your migration output might be based on inconsistent data because the source was changing whilst it was being read for migration, causing potentially undefined results.

karthmnz · May 9, 2022, 9:21pm

Thanks for help! Are there also any other ways to take a “snapshot” and restore it?

maxb · May 9, 2022, 9:36pm

The core of Vault does not offer snapshot/restore capabilities - that is up to the storage backend.

Consul is capable of this (using direct access to the Consul backend, using Consul tools or APIs).

So is Vault’s integrated Raft storage.

PostgreSQL is a good SQL database so it’s likely possible to take a consistent online backup from it too, but you might need to be an expert PostgreSQL DBA to reason your way to a safe procedure.