Demo Promote a Secondary Cluster

In this guide, you’ll learn how to safely demote the existing primary cluster in a Vault Disaster Recovery (DR) replication setup and then promote the DR secondary cluster to become the new primary. This procedure ensures minimal downtime and maintains data integrity across clusters.

Quick Reference

1. Verify Current DR Replication Status

On your primary cluster, confirm that the DR replication relationship is healthy:

vault read -format=json sys/replication/dr/status | jq

Sample output:

{
  "mode": "primary",
  "state": "running",
  "known_secondaries": ["secondary-dallas"],
  "secondaries": [
    {
      "node_id": "secondary-dallas",
      "connection_status": "connected",
      "api_address": "http://10.1.101.108:8200",
      "cluster_address": "https://10.1.101.108:8201",
      "last_heartbeat": "2022-05-24T20:13:45Z"
    }
  ]
}

If the connection_status is not connected, troubleshoot network connectivity and TLS settings before proceeding.

2. Demote the Current Primary Cluster

Demoting the primary ensures there is no conflict when promoting the secondary.

# Verify your token
vault token lookup

# Demote primary to secondary
vault write -f sys/replication/dr/primary/demote

Expected warning:

WARNING! The following warnings were returned from Vault:
* This cluster is being demoted to a replication secondary. Vault will be unavailable for a brief period and will resume service shortly.

3. Generate a DR Operation Token on the Secondary

Switch context to your DR secondary cluster to create a one-time operation token required for promotion.

1. Initiate token generation

   vault operator generate-root -dr-token
   

   You’ll receive an operation nonce.

2. Unseal with quorum of unseal keys
   Provide any 3 of 5 unseal keys from the former primary:

   vault operator generate-root -dr-token
   # Enter unseal key #1
   # Enter unseal key #2
   # Enter unseal key #3
   

   Vault returns an encoded token, e.g.:

   Encoded Token: LDJQkQUE6DhyVWITrMHJ2dCgFPjVQGAMLQPEfCw
   

3. Decode the DR operation token

   vault operator generate-root -dr-token \
     -otp="2ac123e0-d768-ce9e-ed7f-58eba3091a8f" \
     -decode="LDJQkQUE6DhyVWITrMHJ2dCgFPjVQGAMLQPEfCw"
   

   Output:

   DR Operation Token: hvs.vjJaqI8ACON0@FlUQeKHDIJO
   

4. Promote the Secondary to Primary

Using the decoded token, promote the DR secondary:

vault write sys/replication/dr/secondary/promote \
  dr_operation_token="hvs.vjJaqI8ACON0@FlUQeKHDIJO"

You’ll see:

WARNING! The following warnings were returned from Vault:
* This cluster is being promoted to a replication primary. Vault will be unavailable for a brief period and will resume service shortly.

5. Verify the New Primary

1. Authenticate (if needed):

   vault login hvs.Y9MwsvPOH3zIZpBUymLF6Dk
   

2. List Raft peers:

   vault operator raft list-peers
   

   Expected:

   Node     Address             State   Voter
   ----     -------             -----   -----
   vault-3 10.1.101.108:8201    leader  true
   

3. Test secrets engines:

   vault secrets enable aws
   

   Success! Enabled the aws secrets engine at: aws/
   

At this point, your DR secondary cluster is fully promoted and ready to operate as the new primary. All write and read operations should now succeed on this cluster.

Links and References

• HashiCorp Vault DR Replication
• Vault Operator Commands
• Vault API: sys/replication/dr
• HashiCorp Vault GitHub