# Vault Replication - Performance and Disaster Recovery

teaser: Learn How To Configure Disaster Recovery and Performance Replication Between Vault Clusters.

<details><summary>Description</summary>

This lab will guide you through setting up disaster recovery and performance [Replication](https://www.vaultproject.io/docs/enterprise/replication) between Vault clusters.

You will perform the following steps:
* Configure Performance Replication between `NA-1` and `EU-1` so that applications in different regions can access Vault servers in the same regions.
* Configure a [mount filter](https://learn.hashicorp.com/tutorials/vault/paths-filter) to limit what data is shared from the EU clusters to the NA clusters.
* Enable a `local` secrets engine on the `NA-1` cluster and verify that it is not replicated to the EU clusters.
* Configure Vault's Disaster Recovery (DR) replication in two different ways.
* Simulate a catastrophic failure of a cluster and promote the DR secondary to DR primary.

These topics are important for helping you ensure constant availability of Vault clusters even when disasters occur, allow applications to interact with local Vault servers, and ensure compliance with data protection laws such as [General Data Protection Regulation](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) (GDPR).
    
</details>


# Challenge 1 - Prepare Your Primary Vault Clusters

<details><summary>Notes</summary>

Welcome to Lab 4 of the HashiCorp E1 Vault Implementation Specialist training. This lab is focused on Vault's disaster recovery and performance [Replication](https://www.vaultproject.io/docs/enterprise/replication).

In this lab's first challenge, you'll verify the health of 2 Vault Enterprise clusters (EU-1 and NA-1) that have been created for you. Each of them has a single Vault server backed by a single Consul server. Of course, in production, each cluster would have 3 Vault servers backed by 5 Consul servers.

The Vault servers have been unsealed using GCP Auto Unseal.

After verifying the health of your Vault clusters, you will complete the first challenge by enabling two secrets engines and writing some secrets to them.

In the second challenge, you will enable performance replication between the EU-1 and NA-1 clusters.

After that, you will configure mount filters and local mounts, verify the health of two additional Vault clusters (EU-2 and NA-2), and enable disaster recovery replication between the EU-1 and EU-2 clusters and between the NA-1 and NA-2 clusters.

At the end of the lab, you will simulate a failure of the NA-1 cluster and promote the NA-2 cluster to DR primary.

Unfortunately, this lab will take 5-6 minutes to start. So, this is a good time to take a coffee break or catch up on e-mail. Or you could read the extra information about Vault replication that we have added to the following notes screens.

</details>

<details>
<summary>
Vault supports two types of replication:
</summary>


1. **Performance Replication**, in which multiple clusters are simultaneously active in different geographical regions so that applications can interact with nearby Vault servers. This reduces latency when applications request secrets from Vault.
2. **Disaster Recovery Replication**, in which only one cluster is active while the other secondary clusters serve as warm standbys in case the primary cluster suffers a catastrophic failure.

Both kinds of replication can be used simultaneously.

<img src="attachment:18390bc1-6244-4719-8993-22ae8c4285dd.png" width="50%" />

Let's talk more about **Performance Replication**.

When multiple clusters are joined in a performance replication set, one is the primary while the others are secondary. All the clusters can service read requests themselves, but write requests are forwarded to the primary cluster.

After the primary cluster saves new secrets, it replicates them to the secondary clusters. So, even when a request is initially sent to a secondary cluster, from Vault's point of view the data always flows from the primary cluster to the secondary clusters.

This is important to keep in mind when we talk about mount filters and local mounts.

A **Mount Filter** is a configuration that tells the primary cluster which secrets engines and auth methods should have their data replicated from the primary cluster to specific secondary clusters.

They can be dynamically enabled and removed both before and after performance replication has been configured.

A generalization of a mount filter is a **Path Filter** which can filter both mounts and namespaces in Vault Enterprise.

A **Local Mount** is a secret engine or auth method that is designated as `local` when it is created. It's data is not replicated to other clusters.

Additionally, requests to do writes against it are handled by the cluster it was created in, even if that cluster is a performance secondary. In that case, the primary performance cluster will not see any of the local mount's data.

A mount that is not local is considered a `replicated` mount. All mounts are replicated by default unless they are explicitly designated as local mounts when they are created.

Use a **mount filter** when you want to restrict the flow of data from a performance primary to secondary clusters. Use a **local mount** when you want to restrict the flow of data from secondary clusters to the primary cluster and any other secondaries.

You can learn more about the difference between local and replicated mounts here.
</details>

---

## Introduction

Welcome to Lab 4 of the HashiCorp E1 Vault Implementation Specialist training!

If you did not read all of the notes screens while the lab was starting, please do that now by clicking the notes button in the upper right corner. After reading all of them, click the X button to hide the notes.

Expand each section below to review additional information


### About this lab

<details><summary></summary>

The startup scripts for the track have created 2 Vault Enterprise clusters:

* EU-1 (the primary DR cluster in Europe and the primary performance replication cluster)
* NA-1 (the primary DR cluster in North America and the secondary performance replication cluster)

Two more Vault Enterprise clusters will be created later:

* EU-2 (the secondary DR cluster in Europe)
* NA-2 (the secondary DR cluster in North America)

In this lab, you will see one console tab ("EU-1" and "NA-1") and one UI tab ("EU-1 UI" and "NA-1 UI") for each Vault server. We are not exposing console or UI tabs for the Consul servers since you will not interact with Consul directly.

</details>

## Lab Instructions

### Step 0: Pre-reqs

In [19]:
rm -f /tmp/vault*.log
unset -f vault2 vault3
mkdir -p /tmp/config/vault

alias vrd='VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8200 vault server -log-level=trace -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 -dev-ha -dev-transactional > /tmp/vault.log 2>&1'
alias vrd2="VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8202 vault server -log-level=trace -dev -dev-root-token-id=root2 -dev-listen-address=127.0.0.1:8202 -dev-ha -dev-transactional > /tmp/vault2.log 2>&1"
alias vrd3="VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8204 vault server -log-level=trace -dev -dev-root-token-id=root3 -dev-listen-address=127.0.0.1:8204 -dev-ha -dev-transactional > /tmp/vault3.log 2>&1"
alias vrd4="VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8206 vault server -log-level=trace -dev -dev-root-token-id=root4 -dev-listen-address=127.0.0.1:8206 -dev-ha -dev-transactional > /tmp/vault3.log 2>&1"

# alias option for vault commands
alias vault2="VAULT_ADDR=http://127.0.0.1:8202 vault $@"
alias vault3="VAULT_ADDR=http://127.0.0.1:8204 vault $@"
alias vault4="VAULT_ADDR=http://127.0.0.1:8206 vault $@"
# unalias vault vault2 vault1 vault3


# function option for vault commands
# vault2 () { 
#   VAULT_ADDR=http://127.0.0.1:8202 vault $@
# }

# vault3 () {
#   VAULT_ADDR=http://127.0.0.1:8204 vault $@
# }

# vault4 () {
#   VAULT_ADDR=http://127.0.0.1:8206 vault $@
# }

export RED="\e[0;31m"
export YELLOW="\e[0;33m"
export BLDYELLOW="\e[1;33m"
export GREEN="\e[0;32m"
export CYAN="\e[0;36m"
export BLUE="\e[0;34m"
export WHITE="\e[0;37m"
export BLDWHITE="\e[1;37m"
export NC="\e[0m"

[?2004h[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l[?2004l

: 1

#### Start Vault - Binary Method

Install Vault Enterprise - if needed. This will install the latest version. Change `os` value to `linux` if not on Mac.

In [None]:
for i in vault; do
  corp=hashicorp os=darwin
  ver=$(curl -fsS https://api.github.com/repos/${corp}/${i}/tags \
    | jq -re '.[].name' \
    | grep -v 'beta\|rc' \
    | sed 's/^v\(.*\)$/\1/g' \
    | sort -Vr \
    | head -1)
#   echo -e "${ver}\n${i^}"
  curl -s https://releases.hashicorp.com/${i}/${ver}/${i}_${ver}_SHA256SUMS \
    | grep ${os}_amd64
  curl -so /tmp/vault.zip https://releases.hashicorp.com/${i}/${ver}+ent/${i}_${ver}+ent_${os}_amd64.zip \
    && unzip -qqo -d /usr/local/bin/ /tmp/vault.zip
done
vault version

In [3]:
printf "${GREEN}Start vault (EU-1) and vault2 (NA-1)${NC}\n"
pkill -9 vault
vrd &
vrd2 &

[0;32mStart vault (EU-1) and vault2 (NA-1)[0m
[2]+  Exit 1                  VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8202 VAULT_ADDR=http://127.0.0.1:8200 vault server -log-level=trace -dev -dev-root-token-id=root2 -dev-listen-address=127.0.0.1:8202 -dev-ha -dev-transactional > /tmp/vault2.log 2>&1
[2] 74119[?2004l[?2004l
[1]   Killed: 9               VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8200 VAULT_ADDR=http://127.0.0.1:8200 vault server -log-level=trace -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 -dev-ha -dev-transactional > /tmp/vault.log 2>&1
[3] 74121[?2004l
[?2004h

: 1

In [4]:
UNSEAL_KEY_1=$(grep "Unseal Key:" /tmp/vault.log | awk '{print $NF}')
echo $UNSEAL_KEY_1

FVZ1lTH1bY9hWUNPDEekdPfqONvJGtbsLPr+7yBoW9g=
[?2004h

: 1

#### Docker Method

(optional) Start vault as a Transit Auto-unseal of vault1 and vault2

In [None]:
docker stop vault || true
docker rm vault || true
docker run --rm -d \
    --name vault \
    -p 8200:8200 \
    -e 'VAULT_DEV_ROOT_TOKEN_ID=root' \
    -e "VAULT_ADDR=http://127.0.0.1:8200" \
    hashicorp/vault-enterprise server \
        -config="/vault/config" \
        -dev-root-token-id="root" \
        -dev-listen-address="0.0.0.0:8200" \
        -dev -dev-ha -dev-transactional

Start `vault2` - This will be the initial Primary

In [None]:
docker stop vault2 || true
docker rm vault2 || true
docker run --rm -d \
    --name vault2 \
    -p 8202:8202 \
    -e 'VAULT_DEV_ROOT_TOKEN_ID=root' \
    -e "VAULT_ADDR=http://127.0.0.1:8202" \
    hashicorp/vault-enterprise server \
        -config="/vault/config" \
        -dev-root-token-id="root2" \
        -dev-listen-address="${VAULT_DEV_LISTEN_ADDRESS:-"0.0.0.0:8202"}" \
        -dev -dev-ha -dev-transactional

Start vault2 - This will be the initial Secondary

In [None]:
docker stop vault3; docker rm vault3
docker run --rm -d \
    --name vault3 \
    -p 8204:8200 \
    -e 'VAULT_DEV_ROOT_TOKEN_ID=root' \
    -e "VAULT_ADDR=http://127.0.0.1:8200" \
    hashicorp/vault-enterprise server -dev-ha -dev-transactional

### Step 1: Verify the Cluster Health

Please verify the health of your primary Vault servers by running these commands on EU-1 and NA-1:

In [6]:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root
export VAULT_SKIP_VERIFY=true

[?2004h[?2004l[?2004l

: 1

In [7]:
# consul members
printf "${GREEN}Verify Vault status${NC}\n"
vault status
vault2 status
# vault3 status
printf "${GREEN}Verify licenses${NC}\n"
# consul license get
vault read sys/license
VAULT_TOKEN=root2 vault2 read sys/license

[0;32mVerify Vault status[0m
[0mKey             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.7.3+ent
Storage Type    inmem_transactional_ha
Cluster Name    vault-cluster-163275c6
Cluster ID      12b35176-8e19-eac3-4c3a-66a48b0610d1
HA Enabled      true
HA Cluster      https://127.0.0.1:8201
HA Mode         active
Active Since    2021-07-08T16:19:43.447554Z
Last WAL        37[0m
[0mKey             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.7.3+ent
Storage Type    inmem_transactional_ha
Cluster Name    vault-cluster-163275c6
Cluster ID      12b35176-8e19-eac3-4c3a-66a48b0610d1
HA Enabled      true
HA Cluster      https://127.0.0.1:8201
HA Mode         active
Active Since    2021-07-08T16:19:43.447554Z
Last WAL        37[0m
[0;32mVerify licenses[0m
[0m
[93m  * time left on l

: 1

Be sure to press your `<return>` or `<enter>` key to actually execute the last of those commands if you paste the whole set.

* `consul members` should show a single Consul server and a single Consul client (the Vault server that talks to it).
* `vault status` should show that the Vault server is initialized and unsealed (by GCP Auto Unseal).
* `consul license get` and `vault read sys/license` commands should show Consul Enterprise and Vault Enterprise licenses that expire in the future, not today.

(Optional) You might also wish to login to the UIs of your Vault servers with their root tokens. You can find these on each console tab with this command:

In [8]:
echo EU-1 - $(cat /tmp/vault.log | grep Root)
echo NA-1 - $(cat /tmp/vault2.log | grep Root)

EU-1 - Root Token: root
NA-1 - Root Token: root2
[?2004h

: 1

Files in Lab
```
root@vault-eu-1:~# tree
.
├── config-files
│   ├── consul
│   │   ├── agent-policy.hcl
│   │   ├── bootstrap.txt
│   │   ├── consul.hclic
│   │   ├── encrypt_key.txt
│   │   └── token.txt
│   └── vault
│       ├── consul_vault_token.txt
│       ├── initialization.txt
│       ├── vault.hcl
│       └── vault.hclic
└── snap
    └── google-cloud-sdk
        ├── 171
        ├── 187
        ├── common
        └── current -> 112
```

Note that each cluster has its own distinct root token.

### Step 2: Mount Secrets Engines on EU-1

Before moving on to the next challenge, let's mount some secrets engines that will help you better understand which data is replicated between clusters when using Vault's DR and performance replication options.

We'll mount two KVv2 secrets engines on the **EU-1** cluster, one of which will contain data restricted by European GDPR laws.

Later, you will set up a mount filter to prevent it from being replicated to the NA clusters.

The second KVv2 secrets engine on the EU-1 cluster will contain non-GDPR data that can be legally replicated to the NA Vault clusters.

First, enable the `GDPR_Data` KVv2 secrets engine on the **EU-1** cluster by running this command on the EU-1 tab:

In [9]:
vault secrets enable -path=GDPR_Data kv-v2

[0mSuccess! Enabled the kv-v2 secrets engine at: GDPR_Data/[0m
[?2004h

: 1

This will return: `Success! Enabled the kv-v2 secrets engine at: GDPR_Data/`

Then, enable the `Non_GDPR_Data` KVv2 secrets engine on the **EU-1** cluster by running this command on `EU-1`:

In [10]:
vault secrets enable -path=Non_GDPR_Data kv-v2

[0mSuccess! Enabled the kv-v2 secrets engine at: Non_GDPR_Data/[0m
[?2004h

: 1

This will return: `Success! Enabled the kv-v2 secrets engine at: Non_GDPR_Data/`

Let's also write some secrets to both secrets engines by running these commands on `EU-1`:

In [64]:
vault kv put Non_GDPR_Data/capitals Germany=Berlin France=Paris England=London
vault kv put GDPR_Data/credit_scores Heike=78 Pierre=90 John=87

[0mKey              Value
---              -----
created_time     2021-07-08T16:58:09.312851Z
deletion_time    n/a
destroyed        false
version          1[0m
[0mKey              Value
---              -----
created_time     2021-07-08T16:58:09.440722Z
deletion_time    n/a
destroyed        false
version          1[0m
[?2004h

: 1

In the next challenge, you will enable performance replication between the `EU-1` and `NA-1` clusters.

---
## Notes

In this challenge, you will enable performance replication between the `EU-1` and `NA-1` clusters with the first being the primary cluster from the performance replication point of view.

This means that the `NA-1` cluster is the secondary cluster from the performance replication point of view even though it will end up being the primary from a DR point of view with regard to the `NA-2` cluster later in this lab.

In this challenge we are following the [Performance Replication with Mount Filters](https://learn.hashicorp.com/vault/operations/mount-filter) guide, but we will not enable mount filters until the next challenge.

# Challenge 2 - Enable Performance Replication

## Introduction

<details><summary></summary>

In this challenge, you will enable performance replication between the `EU-1` and `NA-1` clusters with the first being the primary cluster from the performance replication point of view.

This means that the **NA-1** cluster is the secondary cluster from the performance replication point of view even though it will end up being the primary from a DR point of view with regard to the **NA-2** cluster.

You will use the two KVv2 secrets engines that you enabled on the **EU-1** cluster at the end of the first challenge: `GDPR_Data` and `Non_GDPR_Data`.
</details>

## About Replication

<details><summary></summary>

When enabling a Vault cluster as a performance secondary and a DR primary, it is imperative to configure performance replication before DR replication.

Enabling a cluster as a secondary with regard to either type of replication wipes out ALL of its data including the data it needs to function as a primary for the other type.

Note, however, that it would never make sense to configure a cluster as a performance primary and DR secondary since DR secondaries cannot process any requests.

If you set up DR replication first, when you try to configure the DR primary as a performance secondary, you will get an error that prevents it. We know from experience!
</details>

## Lab Instructions

### Step 1: Enable Performance Replication

Let's start by enabling performance replication on the primary **EU-1** cluster by running the following command on **EU-1**:

In [12]:
vault write -f sys/replication/performance/primary/enable

[0m
[93m  * This cluster is being enabled as a primary for replication. Vault will be
  unavailable for a brief period and will resume service shortly.[0m
[93m[0m
[?2004h

: 1

The `-f` option is required by the `write` command when no key/value pairs are provided to it.

The above command should return the following message:
```
This cluster is being enabled as a primary for replication. Vault will be unavailable for a brief period and will resume service shortly.
```

Next, generate a secondary token for performance replication on **EU-1**:

In [14]:
vault write -format=json sys/replication/performance/primary/secondary-token id=NA-1 \
    | jq -r ".wrap_info" | tee /tmp/config/vault/wrapping_token.txt

{[?2004h[?2004l
  "token": "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NvciI6IiIsImFkZHIiOiJodHRwOi8vMTI3LjAuMC4xOjgyMDAiLCJleHAiOjE2MjU3NjMzNDQsImlhdCI6MTYyNTc2MTU0NCwianRpIjoicy5yd3RObTVSOVFaV0hSYU84eTR5d2t3VGUiLCJuYmYiOjE2MjU3NjE1MzksInR5cGUiOiJ3cmFwcGluZyJ9.AFJ2QFpuUtHDpzLNsz3UovdI_L6_XpraDixXrI_F9FEp76OZ5fX2-DfLeyx5CGEG_96YahwWadDCXsj3ybwuOK3VALNws5-pkWKcRpFrv9F3kVZcFwvZClPldkt4pOrP94Qhd4viOMABtKVcIIUGyPWTO8g4SCtkdsXCFVQbi0AMqiho",
  "accessor": "9v7RkluSm1fVzZcL32I0t8zA",
  "ttl": 1800,
  "creation_time": "2021-07-08T09:25:44.951628-07:00",
  "creation_path": "sys/replication/performance/primary/secondary-token",
  "wrapped_accessor": ""
}
[?2004h

: 1

We have given the secondary token the ID, "`NA-1`".

This should return something like this:
```
Key                              Value
wrapping_token:                  eyJhbGciOiJFUzUxMiIsImtpZCI6IiIsIn...
wrapping_accessor:               54DprQVRNl3DddHf7sOi4GvS
wrapping_token_ttl:              30m
wrapping_token_creation_time:    2020-01-31 04:42:24.449277782 +0000 UTC
wrapping_token_creation_path:    sys/replication/performance/primary/secondary-token
```

Note that we have generated a wrapping token, which is a special token that can be used once to obtain another token.

You can think of it as a small key to a safe deposit box that contains a bigger key to a bigger safe; but the small key can only be used once.

It is also possible to create a secondary public key on the performance replication secondary cluster and then generate an unwrapped token with that public key.

We will use this method for enabling DR replication between the two NA clusters in the second half of the next challenge.

#### (optional) Revoke token - Performance Replication

In [None]:
vault write sys/replication/performance/primary/revoke-secondary id="NA-1"

#### Enable performance replication on Secondary

Now, you can enable performance replication on the `NA-1` cluster by running the following command on `NA-1` where `token` is the wrapping token you received from the last command:

In [20]:
export VAULT_TOKEN=root2
# vault write sys/replication/performance/secondary/enable ca_file=/etc/consul.d/tls/consul-agent-ca.pem token=<token>
vault2 write sys/replication/performance/secondary/enable token=$(jq -r ".token" /tmp/config/vault/wrapping_token.txt)

[0m
[93m  * Vault has successfully found secondary information; it may take a while to
  perform setup tasks. Vault will be unavailable until these tasks and initial
  sync complete.[0m
[93m[0m
[?2004h

: 1

This command should return this message:
```
Vault has successfully found secondary information; it may take a while to perform setup tasks. Vault will be unavailable until these tasks and initial sync complete.
```

After waiting 20-30 seconds, please check the status of the performance replication on **EU-1** and **NA-1**:

In [21]:
printf "${GREEN}Vault - EU-1 - Status${NC}\n"
vault read sys/replication/performance/status

[0;32mVault - EU-1 - Status[0m
[0mKey                     Value
---                     -----
cluster_id              e7a29f5e-c084-83d0-90c9-509313e98b28
known_secondaries       [NA-1]
last_performance_wal    65
last_reindex_epoch      0
last_wal                87
merkle_root             76c7a491f67def5c03588efa48b48cf09d390790
mode                    primary
primary_cluster_addr    n/a
secondaries             [map[api_address:http://127.0.0.1:8202 cluster_address:https://127.0.0.1:8203 connection_status:connected last_heartbeat:2021-07-08T09:28:43-07:00 node_id:NA-1]]
state                   running[0m
[?2004h

: 1

If it fails, wait 15 seconds and try again.

On the **EU-1** server, it should give output like this:
```
Key                     Value
cluster_id              ce87f417-c6ec-edea-73aa-6c671f84f700
known_secondaries       [NA-1]
last_reindex_epoch      0
last_wal                54
merkle_root             3bf96a9d706364ac24d0cc7138d23aac7d1157be
mode                    primary
primary_cluster_addr    n/a
state                   running
```

In [22]:
printf "${GREEN}Vault2 - NA-1 - Status${NC}\n"
vault2 read sys/replication/performance/status

[0;32mVault2 - NA-1 - Status[0m
[0mKey                            Value
---                            -----
cluster_id                     e7a29f5e-c084-83d0-90c9-509313e98b28
connection_state               ready
known_primary_cluster_addrs    [https://127.0.0.1:8201]
last_reindex_epoch             1625761713
last_remote_wal                0
merkle_root                    76c7a491f67def5c03588efa48b48cf09d390790
mode                           secondary
primaries                      [map[api_address:http://127.0.0.1:8200 cluster_address:https://127.0.0.1:8201 connection_status:connected last_heartbeat:2021-07-08T09:28:53-07:00]]
primary_cluster_addr           https://127.0.0.1:8201
secondary_id                   NA-1
state                          stream-wals[0m
[?2004h

: 1

On the `NA-1` server, it should give output like this:
```
Key                            Value
cluster_id                     ce87f417-c6ec-edea-73aa-6c671f84f700
known_primary_cluster_addrs    [https://10.132.0.44:444]
last_reindex_epoch             1580482246
last_remote_wal                0
merkle_root                    3bf96a9d706364ac24d0cc7138d23aac7d1157be
mode                           secondary
primary_cluster_addr           https://10.132.0.44:444
secondary_id                   NA-1
state                          stream-wals
```

NOTE: The status of the primary includes the ID of the secondary (`secondaries`), while the status of the secondary includes the address of the primary (`primaries`). Additionally, the values of the `cluster_id` and `merkle_root` keys match across clusters.

NOTE: The `last_wal` from the primary and the `last_remote_wal` from the secondary should match or be close. If the secondary shows `0`, making some writes will trigger a change.

### Step 2: Generate a New Root Token For NA-1

If you did not review all of the Notes for the first challenge was starting, we recommend you do that now.

In the first challenge, we enabled the following secrets engines:

* `GDPR_Data` on **EU-1** which can **NOT** be replicated to the NA clusters.
* `Non_GDPR_Data` on **EU-1** which can be replicated to the NA clusters.

Since Vault's performance replication replicates all mounts by default, you might expect the secret you wrote earlier to the `GDPR_Data` engine on **EU-1** to be visible on the NA-1 cluster.

Confirm this by running this command on `NA-1`:

In [23]:
vault2 kv get GDPR_Data/credit_scores

[91mError making API request.

URL: GET http://127.0.0.1:8202/v1/sys/internal/ui/mounts/GDPR_Data/credit_scores
Code: 403. Errors:

* permission denied[0m
[?2004h

: 1

You'll actually get a `permission denied` error. But there's a good reason: Remember that enabling a secondary for either type of replication wipes out ALL of the secondary's data, including Vault tokens.

While it is true that performance replication does not replicate tokens and leases, the `NA-1` cluster currently does not have any tokens. So, we need to create one for it on the `EU-1` cluster.

Since performance replication does not replicate tokens, you need to create a new `root` token for the `NA-1` cluster from recovery keys.

Specifically, you need to use the recovery keys from the primary performance cluster, `EU-1`, since setting up `NA-1` as a performance secondary to `EU-1` replaced its master and encryption keys with those from **EU-1**.

(If you were using the default Shamir's seal, then you would use the unseal keys instead of recovery keys.) The process is the same that you used in Lab 3.

So, please generate a new root token from your **EU-1** recovery keys on `NA-1` as follows:

First, generate a one-time password to use for the root token process on `NA-1`:

In [25]:
vault2 operator generate-root -generate-otp | tee /tmp/config/vault/otp.txt
OTP=$(cat /tmp/config/vault/otp.txt)
echo $OTP

0SAA5ROhkKaXZx3Ggqvw2Ulkb5[?2004h[?2004l[?2004l
[?2004h

: 1

Next, initialize the root token generation process with a command like this on `NA-1`. The OTP was returned by the previous command:

In [26]:
vault2 operator generate-root -format=json -init -otp=${OTP} | tee /tmp/config/vault/NONCE.txt
NONCE=$(jq -r '.nonce' /tmp/config/vault/NONCE.txt)
echo $NONCE
# <your_otp>

{[?2004l
  "nonce": "774fb972-67eb-d78b-0364-a320e70dbeb5",
  "started": true,
  "progress": 0,
  "required": 1,
  "complete": false,
  "encoded_token": "",
  "encoded_root_token": "",
  "pgp_fingerprint": "",
  "otp": "",
  "otp_length": 26
}
774fb972-67eb-d78b-0364-a320e70dbeb5
[?2004h[?2004l

: 1

Next, run the following command twice on `NA-1`, using two of the recovery keys in the `initialization.txt` file under `/root/config-files/vault` on `EU-1`.

Do not use the recovery keys from `NA-1`, but do run the command on `NA-1`:

In [27]:
# UNSEAL_KEY_1=$(grep "Unseal Key:" /tmp/vault.log | awk '{print $NF}')
# grep "Root Token:" /tmp/vault.log | awk '{print $NF}'
vault2 operator generate-root -nonce=${NONCE} ${UNSEAL_KEY_1} | tee /tmp/config/vault/ENCODED_TOKEN.txt

Nonce            774fb972-67eb-d78b-0364-a320e70dbeb5
Started          true
Progress         1/1
Complete         true
Encoded Token    Q313GVo8HjsmATttHBALBiEaBEJGASUMJls
[?2004h

: 1

In [28]:
ENCODED_TOKEN=$(grep Token /tmp/config/vault/ENCODED_TOKEN.txt | awk '{print $NF}')
echo $ENCODED_TOKEN

Q313GVo8HjsmATttHBALBiEaBEJGASUMJls
[?2004h

: 1

The second time you run this, you should see something like:
```
Nonce            <nonce>
Started          true
Progress         2/2
Complete         true
Encoded Token    PR8HLgZ8Hh8CXH8xRFxAFSsUdjgvCQIbMzw
```

If you don't see the `Encoded Token` field and the `Progress` field set to `2/2`, try again, making sure you use a different recovery key in the two invocations of the command and that you use the recovery keys from the `EU-1` tab, not from the `NA-1` tab.

You can now decode your new root token with a command like this where <token> is the encoded token returned by the last command and <otp> is the OTP you got back from the first generate-root command above:

In [29]:
vault2 operator generate-root -decode=${ENCODED_TOKEN} -otp=${OTP} | tee /tmp/config/vault/VAULT_TOKEN_ROOT_2.txt
export VAULT_TOKEN_ROOT_2=$(cat /tmp/config/vault/VAULT_TOKEN_ROOT_2.txt)
echo $VAULT_TOKEN_ROOT_2

s.6XonQSMJZ5Fh8AFkr5tTIgDn[?2004h[?2004l[?2004l
[?2004h

: 1

This will give you your new root token for `NA-1`.

Now, you need to export the new root token on `NA-1`:

In [30]:
export VAULT_TOKEN=$VAULT_TOKEN_ROOT_2
echo $VAULT_TOKEN

s.6XonQSMJZ5Fh8AFkr5tTIgDn
[?2004h

: 1

It will also be useful to update your .bash_profile script to use it instead of the old root token:

```
sed -i '$d' /root/.bash_profile
echo "export VAULT_TOKEN=$VAULT_TOKEN" >> /root/.bash_profile
```

Now, you can finally read the `GDPR_Data/credit_scores` secret on `NA-1`:

In [None]:
export VAULT_TOKEN=root
vault2 token lookup

In [31]:
vault2 kv get GDPR_Data/credit_scores

[91mNo value found at GDPR_Data/data/credit_scores[0m
[?2004h

: 1

In [32]:
# testing for Taylor. Delete
vault2 kv get GDPR_Data/taylor/credit_scores

[0mKey              Value
---              -----
created_time     2021-07-08T16:22:42.706711Z
deletion_time    n/a
destroyed        false
version          1[0m
[0m[0m
[0m===== Data =====[0m
[0mKey       Value
---       -----
Heike     78
John      87
Pierre    90[0m
[?2004h

: 1

You should see the credit scores for 3 people along with metadata about the secret.

When you enabled performance replication on the secondary cluster, the Vault license was reset to a 30 minute evaluation license. So, you need to apply an evaluation license with a longer duration.

Please do that by running this command on the `NA-1` tab:

In [None]:
vault write sys/license text=@vault_20210715.hclic
vault2 write sys/license text=@vault_20210715.hclic

### (optonal) UI Login

* Finally, we want to note that you can login to the Vault UI for both the EU-1 and the NA-1 clusters. However, you need to use the EU-1 server's original root token in the EU-1 UI and the new root token you just generated in the NA-1 UI.

* You can find the first in the initialization.txt file under the /root/config-files/vault directory on the EU-1 tab.

* If you do login to either UI, you should see both the `GDPR_Data` and the `Non_GDPR_Data` secrets engines on the "Secrets" tab and can see the secrets they contain.

In the next challenge, you will explore the filtering of secrets between clusters in performance replication sets.

- slug: 3-filter-secrets-with-performance-replication

# Challenge 3 - Filter Secrets Shared Via Performance Replication

teaser:
Filter which secrets are shared via performance replication using mount filters and local mounts.

## assignment

### Introduction

In this challenge, you will enable filtering of secrets between primary and secondary clusters that are part of a performance replication set.

You will first enable a mount filter to block secrets stored in the GDPR_Data secrets engine from being replicated to the NA-1 cluster.

Then, you will enable two new secrets engines on the NA-1 cluster and designate one of them as a `local` mount so that its secrets will not be replicated from the NA-1 cluster to the EU-1 cluster.

---  

## Lab Instructions

### Step 1: Filter EU-1 Secrets Replicated to NA-1

Recall that the `GDPR_Data` secrets engine is not supposed to be replicated to the NA clusters. You will now enforce the desired restriction on it by setting up a mount filter for it.

Set up the desired mount filter on `EU-1` with the following command:

In [34]:
export VAULT_TOKEN=root

[?2004h

: 1

In [61]:
vault write sys/replication/performance/primary/paths-filter/NA-1 mode=deny paths="GDPR_Data"

[0mSuccess! Data written to: sys/replication/performance/primary/paths-filter/NA-1[0m
[?2004h

: 1

NOTE: Can add multiple mount paths and namespaces by separating them with commas.

In [62]:
vault read sys/replication/performance/primary/paths-filter/NA-1

[0mKey      Value
---      -----
mode     deny
paths    [GDPR_Data/][0m
[?2004h

: 1

Try reading the `GDPR_Data/credit_scores` secret on `NA-1` again:

In [58]:
vault2 kv get GDPR_Data/credit_scores

[91mError making API request.

URL: GET http://127.0.0.1:8202/v1/sys/internal/ui/mounts/GDPR_Data/credit_scores
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "GDPR_Data/credit_scores/"[0m
[?2004h

: 1

This time, you should receive an error including this text:

```
preflight capability check returned 403, please ensure client's policies grant access to path "GDPR_Data/credit_scores/"
```

This is the same error you would get if you tried to read any non-existent secret from Vault.

However, you should  be able to read the `Non_GDPR_Data/capitals` secret on `NA-1` since secrets are replicated from a performance primary cluster to secondary clusters, unless mount filters are created that explicitly prevent this:

In [65]:
vault2 kv get Non_GDPR_Data/capitals

[0mKey              Value
---              -----
created_time     2021-07-08T16:58:09.312851Z
deletion_time    n/a
destroyed        false
version          1[0m
[0m[0m
[0m===== Data =====[0m
[0mKey        Value
---        -----
England    London
France     Paris
Germany    Berlin[0m
[?2004h

: 1

This should show 3 European capital cities.

### Step 2: Filter NA-1 Data to EU-1

We also want to illustrate the filtering of secrets from a performance secondary cluster to the primary cluster.

To do this, we will enable two KVv2 secrets engines on the NA-1 cluster, one of which will be configured as a `replicated` mount and the other as a `local` mount.

The first will be replicated from the `NA-1` cluster to the `EU-1` cluster, but the second will not be.

Enable a replicated KVv2 secrets engine called `Replicated_Data` on `NA-1`:

In [None]:
vault2 secrets enable -path=Replicated_Data kv-v2

This should return: `Success! Enabled the kv-v2 secrets engine at: Replicated_Data/`

If it gives an error, please wait 15 seconds and try again.

Then, enable a second KVv2 secrets engine called `Local_Data` on `NA-1`:

In [None]:
vault2 secrets enable -path=Local_Data -local=true kv-v2

This will return: `Success! Enabled the kv-v2 secrets engine at: Local_Data/`

We used the `-local` argument when creating the `Local_Data` secrets engine to indicate that it should be handled locally by the `NA-1` cluster and that its data should **not** be replicated to the `EU-1` cluster.

Let's also write some secrets to these secrets engines on `NA-1`:

In [None]:
vault2 kv put Replicated_Data/capitals US=Washington Mexico="Mexico_City" Canada=Ottawa
vault2 kv put Local_Data/credit_scores Tim=90 Susan=80 Linda=85

LAB NOTE: Jupyter bash shell does not like spaces for values in k/v pairs.

If you get an error from the first command, please run it again.

Try to read the `Replicated_Data/capitals` secret on the `EU-1` cluster by running this command on `EU-1`.

In [None]:
vault kv get Replicated_Data/capitals

You will see the capitals of the 3 North American countries.

This confirms that the secrets in the `Replicated_Data` secrets engine that you enabled on the `NA-1` cluster **are** being replicated to the `EU-1` cluster.

Let's verify that the `Local_Data/credit_scores` secret **cannot** be read on `EU-1`.

In [None]:
vault kv get Local_Data/credit_scores

You will get an error including this text:

```
preflight capability check returned 403, please ensure client's policies grant access to path "Local_Data/credit_scores/"
```

This confirms that secrets in the `Local_Data` secrets engine enabled on the `NA-1` cluster **are not** being replicated to the `EU-1` cluster.

So, we now have correctly configured performance replication so that only desired secrets are being replicated in both directions.


---

In the next challenge, you will set up disaster recovery replication for both the EU and the NA clusters.

## notes:

In this challenge, you will explore the filtering of secrets from a performance secondary cluster to the primary cluster.

You will enable two KVv2 secrets engines on the NA-1 cluster, one of which will be configured as a `replicated` mount and the other as a `local` mount.

The first will be replicated from the NA-1 cluster to the EU-1 cluster, but the second will not be.

- slug: 4-verify-vault-health-2

# title: Challenge 4 - Verify the Health of Your Secondary Vault Clusters

teaser: |
  Verify the health of your secondary Vault clusters.

## assignment: |-

### Introduction

We will create 2 additional Vault Enterprise clusters:
* `EU-2` (the secondary DR cluster in Europe)
* `NA-2` (the secondary DR cluster in North America)

To see the UI:
* `EU-1` http://127.0.0.1:8200
* `NA-1` http://127.0.0.1:8202
* `EU-2` http://127.0.0.1:8204 (not available until next step)
* `NA-2` http://127.0.0.1:8206 (not available until next step)

---

In [None]:
vrd3 &
vrd4 &

## Lab Instructions

### Step 1: Verify the Cluster Health

Verify the health of your secondary Vault servers on `EU-2` and `NA-2`:

In [None]:
# consul members
vault3 status
vault4 status

# consul license get
VAULT_TOKEN=root3 vault3 read sys/license

* `consul members` should show a single Consul server and a single Consul client (the Vault server that talks to it).
* `vault status` should show that the Vault server is initialized and unsealed (by GCP Auto Unseal).
* `consul license get` and `vault read sys/license` commands should show Consul Enterprise and Vault Enterprise licenses that expire in the future, not today.

(Optional) You might also wish to login to the UIs of your Vault servers with their root tokens. You can find these on each console tab with this command:

cat /root/config-files/vault/initialization.txt | grep Root

NOTE: Each cluster has its own distinct root token.

---

Now, you're ready to move on to the next challenge in which you will enable disaster recovery replication between the `EU-1` and `EU-2` clusters and between the `NA-1` and `NA-2` clusters.

## notes:

In this challenge, you'll verify the health of 2 additional Vault Enterprise clusters that have been created for you. Each of them has a single Vault server backed by a single Consul server. The Vault servers have been unsealed using GCP Auto Unseal.

- slug: 5-enable-dr-replication

# title: Challenge 5 - Enable Disaster Recovery Replication
teaser: |
Enable disaster recovery replication between Vault Enterprise clusters.

## assignment: |-
### Introduction

In this challenge, you will enable disaster recovery (DR) replication between Vault Enterprise clusters.

You will first enable DR replication between the EU-1 and EU-2 clusters using a wrapping token. (This is the approach described in the Disaster Recovery Replication Setup guide.)

You will then enable DR replication between the NA-1 and NA-2 clusters using a secondary public key and an unwrapped token.

This latter approach involves an extra step but is sometimes easier to implement when TLS is enabled on both clusters.

---

### Lab Instructions

### Step 1: Enable DR Replication With a Wrapping Token

Let's start by enabling DR replication on the `EU-1` cluster, which is the primary cluster with regard to disaster recovery within the (`EU-1`,`EU-2`) pair.

Do this by running this command on `EU-1`:

In [None]:
vault write -f sys/replication/dr/primary/enable

Running that command should give this message with yellow text:

```
This cluster is being enabled as a primary for replication. Vault will be unavailable for a brief period and will resume service shortly.
```

NOTE: If you get an error, please try a few more times until you do see that message.

Note that this command writes to a different path than the one used to enable Performance replication on a primary.

* That path was `sys/replication/performance/primary/enable`
* This path is `sys/replication/dr/primary/enable`.

Next, you need to generate a secondary wrapping token on the `EU-1` server that can then be given to the `EU-2` cluster.

Do that by running this command on `EU-1`:

In [None]:
VAULT_TOKEN=root vault write -format=json sys/replication/dr/primary/secondary-token \
    id=EU-2 \
    | jq -r ".wrap_info" | tee /tmp/config/vault/wrapping_token.txt

This should return something like this:

```
Key                              Value
wrapping_token:                  eyJ...
wrapping_accessor:               kPu...
wrapping_token_ttl:              30m
wrapping_token_creation_time:    2020-01-31 00:09:51.376424252+0000 UTC
wrapping_token_creation_path:    sys/replication/dr/primary/secondary-token
```

The data is written to the `wrapping_token.txt` file.

* If you get an error, please wait 30 seconds and try again. If you still get an error, try checking the DR replication status on `EU-1` by running

In [None]:
vault read sys/replication/dr/status

The `state` should be `running`. If it is, please try generating the secondary token one more time.

The most important thing is the `wrapping_token` which you will use in the next step when enabling the `EU-2` cluster as a DR secondary to the `EU-1` cluster.

To avoid issues with newlines in the wrapping token, let's copy it from the `EU-1` server to the `EU-2` server and put it in an environment variable by running these commands on the "`EU-2`" server:

```
scp -o StrictHostKeyChecking=no vault-eu-1:/root/config-files/vault/wrapping_token.txt /root/config-files/vault/wrapping_token.txt
wrapping_token=$(cat /root/config-files/vault/wrapping_token.txt | grep wrapping_token: | cut -d' ' -f19)
```

#### (optional) Revoke token - secondary

In [None]:
VAULT_TOKEN=root vault write sys/replication/dr/primary/revoke-secondary id="EU-2"

Now, you can enable DR replication on `EU-2` with this command:

In [None]:
# vault3 write sys/replication/dr/secondary/enable ca_file=/etc/consul.d/tls/consul-agent-ca.pem token=$wrapping_token
VAULT_TOKEN=root3 vault3 write sys/replication/dr/secondary/enable \
    token=$(jq -r '.token' /tmp/config/vault/wrapping_token.txt)

> NOTE: The `ca_file` argument points to the CA that we generated with Consul. This is not mentioned in the Vault replication guides, since they discuss deployments in which TLS has not been enabled.

This will return a message like this:

```
Vault has successfully found secondary information; it may take a while to perform setup tasks. Vault will be unavailable until these tasks and initial sync complete.
```

If you get an error, please try again.

IMPORTANT: Remember that enabling DR replication on a secondary Vault cluster will clear **ALL** data on the secondary.

While most Vault data from the primary will be replicated to the secondary, **Vault licenses are not replicated** since they are sometimes tied to specific cluster IDs.

Most Vault operations cannot be done against a DR secondary, but you **CAN** write a license to it if you provide a DR operation token.

We won't do that now but will show you how in the next challenge while promoting the `NA-2` DR secondary to DR primary.

> If using evaluation Vault Enterprise binaries that require licenses, you would normally generate a DR operation token and apply a license immediately after enabling DR replication on any secondary Vault cluster.

Please verify the status of your DR replication on both clusters with this command:

In [None]:
printf "${GREEN}EU-1${NC}\n"
vault read sys/replication/dr/status
printf "${GREEN}EU-2${NC}\n"
vault3 read sys/replication/dr/status

* If it fails, please wait 15 seconds and try again.

On the primary cluster (`EU-1`), this will give something like this:

```
Key                     Value
cluster_id              440...
known_secondaries       [EU-2]
last_reindex_epoch      0
last_wal                33
merkle_root             c35...
mode                    primary
primary_cluster_addr    n/a
state                   running
```

On the secondary cluster (`EU-2`), this will give something like this:

```
Key                            Value
cluster_id                     440...
known_primary_cluster_addrs    [https://10.132.0.93:444]
last_reindex_epoch             158...
last_remote_wal                0
merkle_root                    c35...
mode                           secondary
primary_cluster_addr           https://10.132.0.93:444
secondary_id                   EU-2
state                          stream-wals
```

Confirm
* The `cluster_id` and `merkle_root` fields match between the two clusters.
* Additionally, if you run `ifconfig` on the primary cluster, you can verify that it matches the IP shown in the above output for the secondary cluster.
* (Optional) If you look at the Vault UI for the `EU-1` and `EU-2` servers, the first will give you the normal login prompt asking you to enter your root token. But the second has a different screen giving you options related to Disaster Recovery management of the secondary DR cluster.

You cannot login and use the `EU-2` UI because only the primary DR cluster is allowed to process requests. Secondary DR clusters like `EU-2` are in a warm standby state.

### Step 2: Enabling Replication with TLS

At this point, we want to mention a few things we did when configuring TLS for our Consul and Vault clusters in the setup scripts of this lab. We made the following changes in order to make the wrapping token approach to DR replication work:

* We generated a single CA with the `consul tls ca create` command on the consul-eu-1 server and SCP-ed it to the Consul servers in the other clusters.
* All 4 Consul servers then generated their TLS server and client certs from their copies of this CA, ensuring that all 4 clusters share and trust the same CA. (Using a single CA is not required but does make things simpler.)
* We determined the private IP of the Vault servers with the `ifconfig` command and then generated the Consul TLS client certs for them with commands like `consul tls cert create -dc=eu1 -additional-ipaddress=$private_ip -client`, using two extra arguments that we had not originally used:
  * `-dc` to specify the name of the datacenter.
  * `-additional-ipaddress` to make the client certs valid for the private IP of the Vault servers.

Prior to doing the extra TLS configuration above while developing this lab, we got error messages when trying to enable DR replication for the secondary cluster since the certificate of the primary Vault server had only been valid for 127.0.0.1.

As noted above, we also had to add the `ca_file` argument to the command that enabled DR replication for the secondary cluster so that it would accept the authenticity of the primary cluster.

### Enable DR Replication With a Public Key

The second method of enabling DR replication between two Vault clusters uses a secondary public key and an unwrapped token instead of a wrapping token.

It avoids an API call made from the secondary cluster to the primary in the final step. Avoiding this API call allows DR replication to be established even when the TLS certificates of the clusters are not configured 100% correctly.

If we had tried it before the wrapping token method, it is probable that we would not have had to modify our TLS certificates as described above.

Now, let's enable DR replication between the `NA-1` and `NA-2` clusters using the secondary public key approach.

The first step is to enable DR replication on the primary `NA-1` cluster. Please do this with the same command you used before on the `NA-1` tab:

In [None]:
VAULT_TOKEN=$(cat /tmp/config/vault/VAULT_TOKEN_ROOT_2.txt) vault2 write -f sys/replication/dr/primary/enable

This should return the same message you saw when you enabled DR replication on the EU-1 cluster:

```
This cluster is being enabled as a primary for replication. Vault will be unavailable for a brief period and will resume service shortly.
```

* If you get an error, please try a few more times until you do see that messgae.

The second step with the secondary public key approach is different since we have to generate the secondary public key.

Please run the following command on the `NA-2` tab:

In [None]:
VAULT_TOKEN=root4 vault4 write -format=json -f sys/replication/dr/secondary/generate-public-key \
    | tee /tmp/config/vault/spk.txt
SPK=$(jq -r '.data.secondary_public_key' /tmp/config/vault/spk.txt)
echo $SPK

* If it fails, wait 15 seconds and try again.

This will return something like this:

```
Key                     Value
secondary_public_key    d01pWcnygLWsd40XDdQcVhiV2uj7FF+1DcZYX67ZmSg
```

The third step is similar to the second step when using the wrapping token method.

Please run the following command on the `NA-1` tab to generate a secondary token for use by the NA-2 cluster but replace `<your_spk>` with the secondary public key you received from the previous command:

In [None]:
VAULT_TOKEN=$(cat /tmp/config/vault/VAULT_TOKEN_ROOT_2.txt)
vault2 write sys/replication/dr/primary/secondary-token \
    id=NA-2 secondary_public_key=${SPK} \
    | tee /tmp/config/vault/sec_token.txt

We are outputting the generated token to a file since it will be quite large and because copying and pasting it (at least within the Instruqt environment) can cause part of it to be lost.

* If you get an error such as

`local node not active but active cluster node not found`

Please try again. If you get the same error, try checking the DR replication status on NA-1 by running

vault read sys/replication/dr/status

The state should be `running`. If it is, please try generating the secondary token one more time. Sometimes, checking the DR replication status fixes the problem.

Next, copy and extract the token to the NA-2 server by running these commands on the *NA-2* tab:

```
scp -o StrictHostKeyChecking=no vault-na-1:/root/config-files/vault/sec_token.txt /root/config-files/vault/sec_token.txt
sec_token=$(cat /root/config-files/vault/sec_token.txt | grep token | cut -d' ' -f5)
```

Finally, after waiting 60 seconds, you should enable DR replication on the NA-2 cluster by running this command on the *NA-2* tab:

In [None]:
sec_token=$(grep token /tmp/config/vault/sec_token.txt | awk '{print $NF}')
# VAULT_TOKEN=root4 vault4 write sys/replication/dr/secondary/enable ca_file=/etc/consul.d/tls/consul-agent-ca.pem token=$sec_token
VAULT_TOKEN=root4 vault4 write sys/replication/dr/secondary/enable token=$sec_token

This command is the same as the final command you used when enabling DR replication on the `EU-2` cluster.

The difference here is not in the command itself but in the `token` and how the `NA-2` Vault server processes it.

Upon seeing that the `token` includes the secondary public key that you generated on `NA-2` itself, the `NA-2` server immediately trusts the token and skips making an API call to the `NA-1` cluster that would require the clusters to have TLS configured 100% correctly.

* If the last command above that enables DR replication on the `NA-2` server gives an error saying that

```
Vault is sealed
```

Please restart the `NA-2` server and verify that this unseals it by running

```
systemctl restart vault
```

and

```
vault status
```

on the `NA-2` tab. Then try enabling secondary DR replication on the *NA-2* tab again.

If that still does not work and the error is

`unable to retrieve private key from core`

You should revoke the DR secondary token by running

```
vault write sys/replication/dr/primary/revoke-secondary id=NA-2
```

on the *NA-1* tab and then repeat the above process from the point where you generated the shared public key on the *NA-2* tab.

Be sure to wait 60 seconds after copying the token to the `NA-2` server.

As mentioned above, enabling DR replication on a secondary Vault cluster will clear **ALL** data on the secondary including any Vault licenses, which are not replicated from primary DR clusters since they are sometimes tied to specific cluster IDs.

As mentioned above, if using evaluation Vault Enterprise binaries that require licenses, you would normally generate a DR operation token and use it to apply a license immediately after enabling DR replication on any secondary Vault cluster. But we won't do that here.

Please verify the status of your DR replication on both NA clusters by running this command on the *NA-1* and *NA-2* tabs:

`NA-1`:

In [None]:
VAULT_TOKEN=$VAULT_TOKEN_ROOT_2 vault2 read sys/replication/dr/status

`NA-2`:

In [None]:
VAULT_TOKEN=root4 vault4 read sys/replication/dr/status

As was the case with the EU Vault UIs, after enabling DR replication, only the primary UI (NA-1) will allow you to login; the NA-2 UI now only supports DR replication management operations.

---

NOTE: The lesson you should learn from having implemented DR replication with both methods is that if you do have TLS-related problems using the wrapping token method, you should try the secondary public key method.

That will probably be easier than fixing your TLS certificates. The same lesson applies to implementing performance replication since doing that with secondary public keys is also possible.

### notes:

In this challenge, you will enable disaster recovery (DR) replication between Vault Enterprise clusters.

You will first enable DR replication between the EU-1 and EU-2 clusters using a [wrapping token](https://www.vaultproject.io/docs/concepts/response-wrapping/#response-wrapping-tokens). You will then enable DR replication between the NA-1 and NA-2 clusters using a secondary public key and an unwrapped token.

This latter approach involves an extra step but is sometimes easier to implement when TLS is enabled on both clusters.

We are following the [Disaster Recovery Replication Setup](https://learn.hashicorp.com/vault/day-one/ops-disaster-recovery) guide for the first half and then supplementing it by covering the second method.

- slug: 6-promote-dr-secondary-to-primary

# Challenge 6 - Promote a DR Secondary Cluster to Primary

teaser: |
Simulate the failure of a primary DR cluster and promote the secondary DR cluster to primary. Verify that the primary cluster's data is available on the secondary.

## assignment: |-

### Introduction

In this challenge, you will simulate the failure of the NA-1 cluster by stopping its Vault server.

You will then promote the NA-2 cluster from DR secondary to DR primary and verify that the data previously visible on the NA-1 cluster is now visible on the NA-2 cluster.

This will include the data stored on the EU-1 cluster since the NA-2 cluster will also become a performance secondary to EU-1.

---

## Lab Instructions

### Step 1: Stop the Primary

First, stop the `NA-1` Vault server by running this command on the *NA-1* tab:

`systemctl stop vault`

In [None]:
kill -9 $(ps -ef | grep ":8202" | grep vault | awk '{print $2}')

### Step 2: Promote the Secondary

Next, we want to promote the secondary NA-2 cluster to be the primary DR cluster in the (NA-1, NA-2) DR replication set.

In order to do that, we first must generate a DR operation token which we will need when promoting the NA-2 cluster.

This is similar to the process you used when generating a new root token for the NA-1 cluster from the recovery keys of the EU-1 cluster in the second challenge.

Initialize the generation of the DR operation token by running this command on `NA-2`:

In [None]:
VAULT_TOKEN=root4
vault4 operator generate-root -format=json -dr-token -init | tee /tmp/config/vault/nonce.txt
nonce=$(jq -r '.nonce' /tmp/config/vault/nonce.txt)
otp=$(jq -r '.otp' /tmp/config/vault/nonce.txt)
echo $nonce $otp

This will generate both a one-time password and a nonce and show something like the following:

```
A One-Time-Password has been generated for you and is shown in the OTP field.
You will need this value to decode the resulting root token, so keep it safe.
Nonce         78606d7c-9c21-1d90-fb10-a8e7a33cdee9
Started       true
Progress      0/2
Complete      false
OTP           YAXrVotntJhXsMHBS4kHTjafNq
OTP Length    26
```

Next, run the following command twice on `NA-2`, using two of the recovery keys in the `initialization.txt` file under `/root/config-files/vault` on the `EU-1` tab.

In [None]:
vault4 operator generate-root -format=json -dr-token -nonce=$nonce $UNSEAL_KEY_1 \
    | tee /tmp/config/vault/encoded_token.txt
encoded_token=$(jq -r '.encoded_token' /tmp/config/vault/encoded_token.txt)
echo $encoded_token

NOTE: You must use the recovery keys from the *EU-1* tab because you set up `NA-1` as a performance secondary to `EU-1` and then set up `NA-2` as a DR secondary to `NA-1`.

The first action replaced `NA-1`'s original master key with `EU-1`'s master key while the second action replaced `NA-2`'s master key with `NA-1`'s new master key which is the master key of `EU-1`.

The second time you run this, you should see something like:

```
Nonce            <nonce>
Started          true
Progress         2/2
Complete         true
Encoded Token    Km8ONj9cLlcxADkfBQIiCRFyLRouUiMQAhI
```

If you don't see the `Encoded Token` field and the `Progress` field set to `2/2`, try again, making sure you use a different recovery key in the two invocations of the command and that you use the recovery keys from the `initialization.txt` file on the *EU-1* tab, **not** from the *NA-1* or *NA-2* tabs.

### (optional) Cancelling the generation of the DR operation token
If this still does not work, try cancelling the generation of the DR operation token with the following command and start that process again.

In [None]:
vault4 operator generate-root -dr-token -cancel

After successfully generating your DR operation token, you can decode it with a command like this where `<token>` is the encoded token returned by the last command and `<otp>` is the OTP you got back from the first `generate-root` command above:

In [None]:
vault4 operator generate-root -dr-token -decode=${encoded_token} -otp=${otp} \
    | tee /tmp/config/vault/dr_token_na2.txt

This will give you your decoded DR operation token.

At this point, you should now re-apply your original Vault Enterprise evaluation license to the NA-2 cluster by running this command on the *NA-2* tab where you should replace `<dr_token>` with your DR operation token:

In [None]:
vault4 write sys/license text=@vault_20210715.hclic \
    dr_operation_token=$(cat /tmp/config/vault/dr_token_na2.txt)
vault4 read sys/license \
    dr_operation_token=$(cat /tmp/config/vault/dr_token_na2.txt)

Failing to do this within 30 minutes after enabling DR replication on a secondary Vault cluster will cause its Vault servers to seal.

You will then need to restart them and apply a valid license within 30 minutes.

You can verify that the license has been applied to the DR secondary by running

In [None]:
VAULT_TOKEN=root4 vault4 read sys/license
VAULT_TOKEN=$VAULT_TOKEN_ROOT_2 vault4 read sys/license

But, you might have to wait 30 seconds or repeat the command a few times to get a valid response.

Finally, you can promote the NA-2 cluster to be the primary cluster within the (NA-1, NA-2) DR replication set by running this command on the *NA-2* tab where you should replace `<dr_token>` with your DR operation token:

In [None]:
vault4 write /sys/replication/dr/secondary/promote \
    dr_operation_token=$(cat /tmp/config/vault/dr_token_na2.txt)

You should see a message like this:

```
This cluster is being promoted to a replication primary. Vault will be unavailable for a brief period and will resume service shortly.
```

Note that the original `root` token on the `NA-2` server will no longer be valid.

But, you can use the new root token you had generated on `NA-1` after setting up performance replication between it and `EU-1`.

You can find it by running

In [None]:
echo $VAULT_TOKEN

on the *NA-1* tab.

You should then run the following command on the *NA-2* tab where you should replace `<root_token>` with the value of `$VAULT_TOKEN` on the *NA-1* tab: (Don't use the DR operation token that you just generated.)

In [None]:
export VAULT_TOKEN=<root_token>

Make sure you can read NA-1's data on the NA-2 server by running these commands on the *NA-2* tab:

In [None]:
export VAULT_TOKEN=$VAULT_TOKEN_ROOT_2
vault4 kv get Replicated_Data/capitals
vault4 kv get Local_Data/credit_scores

You should see 3 North American capitals followed by the credit scores for 3 North Americans.

These commands are retrieving data originally stored on the NA-1 server, showing that the NA-2 server has successfully taken over from the NA-1 server via the DR replication promotion.

* If you get errors, please run these commands a second time.

Please run the following command on the *NA-2* tab as an additional test:

In [None]:
vault4 kv get Non_GDPR_Data/capitals

You should see 3 European capitals. This demonstrates that the NA-2 server is now acting as a performance secondary to the EU-1 server.

* If you get an error, please run the command a second time.

(Optional) If you login to the NA-2 Vault UI with the root token you exported above, you should see the `Non_GDPR_Data`, `Local_Data`, and `Replicated_Data secrets` engines. You can also check the values of the secrets they contain.

---

Congratulations on finishing this challenge and the Vault Replication lab!

## notes:
In this challenge, you will simulate the failure of the NA-1 cluster by stopping its Vault server.

You will then promote the NA-2 cluster from DR secondary to DR primary and verify that the data previously visible on the NA-1 cluster is now visible on the NA-2 cluster. This will includes the data stored on the EU-1 cluster since the NA-2 cluster will also become a performance secondary to EU-1.

# Clean Up

pkill -9 vault
rm -rf /tmp/config/vault
rm -f /tmp/vault*.log
# unset -f vault2 vault3 vault4
docker stop vault vault1 vault2 vault3