Poor-man's Vault scaling approach

Vault
1

Hi Friends! I would like to run Vault in several instances connected to one backend (etcd).

(the problem to solve is that sometimes there are too many requests from clients and profiling shows there is no bottleneck in backend but issue is with CPU load)

This doesn’t work well if they run continuously as updates are accumulated in the internal caches and other in-memory structures. However it seems viable if each node is restarted every few minutes and so “refresh” their state from the backend. Alternatively it is possible to dedicate one node to process updating requests, and this one should run continuously, while several “satellite” nodes will only serve reading requests and these ones could be restarted in round-robin fashion.

I wonder could this be done without explicit shutdown/restart (can’t find some command like “re-read everything”, though this could be achieved with seal/unseal seemingly). Are there any faults in this approach I’m missing (except “eventual consistency”)?

Thanks in advance!

2

Any time restarting software is used as a solution to a problem, you are doing it wrong™. Or so it was said by a crusty old neckbeard a long time ago. It may even have been me…

So. Assuming you are using open source Vault (because Enterprise had performance read replicas), and your problem description, the answer seems simple: add more CPU.

You also didn’t explain where the problem occurs: with vault itself, or with etcd? If the former, then you have your answer, if the latter, you’re in the wrong place to ask :wink: