## Demote Primary

In [2]:
%env WORKDIR=/tmp/vault

env: WORKDIR=/tmp/vault


### Create Snapshot

In [17]:
%%bash
export VAULT_TOKEN=$(cat ${WORKDIR}/cluster-keys.json | jq -r ".root_token")
export VAULT_ADDR=https://127.0.0.1:8200
export VAULT_CACERT=/tmp/vault/vault.ca

vault operator raft snapshot save vault-cluster-a-snapshot.snap

### Create DR Operation Batch Token

In [18]:
%%bash

export VAULT_TOKEN=$(cat ${WORKDIR}/cluster-keys.json | jq -r ".root_token")
export VAULT_ADDR=https://127.0.0.1:8200
export VAULT_CACERT=/tmp/vault/vault.ca

vault policy write \
    dr-secondary-promotion - <<EOF
path "sys/replication/dr/secondary/promote" {
  capabilities = [ "update" ]
}

# To update the primary to connect
path "sys/replication/dr/secondary/update-primary" {
    capabilities = [ "update" ]
}

# Only if using integrated storage (raft) as the storage backend
# To read the current autopilot status
path "sys/storage/raft/autopilot/state" {
    capabilities = [ "update" , "read" ]
}
EOF

vault policy list

vault write auth/token/roles/failover-handler \
    allowed_policies=dr-secondary-promotion \
    orphan=true \
    renewable=false \
    token_type=batch

vault token create -format=json -role=failover-handler -ttl=8h | jq -r .auth.client_token > ${WORKDIR}/dr-operation.txt
cat ${WORKDIR}/dr-operation.txt


Success! Uploaded policy: dr-secondary-promotion
default
dr-secondary-promotion
root
Success! Data written to: auth/token/roles/failover-handler
hvb.AAAAAQJamgqoVBBphTXFxKCP-72JxY9SAti_H_RP4tLodkxShZu1XIKgC9f0cr8-5aeju30rPAExgv1q2uqtrUI5w6ucXfF3SWSm7SGYxqxqhLFXa41089i4oSZFmSSxx-Kc6XMGcF9n6YiaNUnHQ0WmgZ4r02hTBpOEp603wru-88VEMSSlvzovGPlEblFCUYcLHBRGZA


## Esto es lo importante

### Demote Primary

In [19]:
%%bash
export VAULT_TOKEN=$(cat ${WORKDIR}/cluster-keys.json | jq -r ".root_token")
export VAULT_ADDR=https://127.0.0.1:8200
export VAULT_CACERT=/tmp/vault/vault.ca

vault write -f sys/replication/dr/primary/demote


  * This cluster is being demoted to a replication secondary. Vault will be
  unavailable for a brief period and will resume service shortly.



## DR

### Promate DR to Primary

In [20]:
%%bash
export VAULT_TOKEN=$(cat ${WORKDIR}/clusterdr-keys.json | jq -r ".root_token")
export VAULT_ADDR=https://127.0.0.1:8300
export VAULT_CACERT=/tmp/vault/vault.ca


vault write -f sys/replication/dr/secondary/promote dr_operation_token=$(cat ${WORKDIR}/dr-operation.txt)


  * This cluster is being promoted to a replication primary. Vault will be
  unavailable for a brief period and will resume service shortly.



## Unseal other nodes with primary unseal key

In [21]:
%%bash
sleep 10
kubectl exec -n vaultdr vaultdr-1 -- vault operator unseal $(jq -r ".unseal_keys_b64[]" ${WORKDIR}/cluster-keys.json)

Key                                    Value
---                                    -----
Seal Type                              shamir
Initialized                            true
Sealed                                 false
Total Shares                           1
Threshold                              1
Version                                1.14.1+ent
Build Date                             2023-07-21T23:04:42Z
Storage Type                           raft
Cluster Name                           vault-dr
Cluster ID                             1ffdecb3-8ea1-7553-68b8-530c69fff8d1
HA Enabled                             true
HA Cluster                             https://vaultdr-0.vaultdr-internal:8201
HA Mode                                standby
Active Node Address                    https://10.244.0.34:8200
Performance Standby Node               true
Performance Standby Last Remote WAL    18
Raft Committed Index                   589
Raft Applied Index                     589


In [22]:
%%bash
kubectl exec -n vaultdr vaultdr-2 -- vault operator unseal $(jq -r ".unseal_keys_b64[]" ${WORKDIR}/cluster-keys.json)

Key                                    Value
---                                    -----
Seal Type                              shamir
Initialized                            true
Sealed                                 false
Total Shares                           1
Threshold                              1
Version                                1.14.1+ent
Build Date                             2023-07-21T23:04:42Z
Storage Type                           raft
Cluster Name                           vault-dr
Cluster ID                             1ffdecb3-8ea1-7553-68b8-530c69fff8d1
HA Enabled                             true
HA Cluster                             https://vaultdr-0.vaultdr-internal:8201
HA Mode                                standby
Active Node Address                    https://10.244.0.34:8200
Performance Standby Node               true
Performance Standby Last Remote WAL    18
Raft Committed Index                   591
Raft Applied Index                     591


### Verify replication status

In [23]:
%%bash
kubectl exec vaultdr-0 -n vaultdr -- vault read sys/replication/dr/status

Key                     Value
---                     -----
cluster_id              58d75c2c-d3fc-b4c9-9f78-400111d580af
known_secondaries       []
last_dr_wal             18
last_reindex_epoch      0
last_wal                18
merkle_root             844b116ece74cf2c58a85e98f7bf75459441dc72
mode                    primary
primary_cluster_addr    n/a
secondaries             []
state                   running


### Enable old DR as DR Primary

In [10]:
%%bash 
export VAULT_TOKEN=$(cat ${WORKDIR}/cluster-keys.json | jq -r ".root_token") 
export VAULT_ADDR=https://127.0.0.1:8300  
export VAULT_CACERT=/tmp/vault/vault.ca 

vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://vaultdr-active.vaultdr.svc.cluster.local:8201


  * This cluster is being enabled as a primary for replication. Vault will be
  unavailable for a brief period and will resume service shortly.



In [11]:
%%bash
export VAULT_TOKEN=$(cat ${WORKDIR}/cluster-keys.json | jq -r ".root_token") 
export VAULT_ADDR=https://127.0.0.1:8300  
export VAULT_CACERT=/tmp/vault/vault.ca 

vault write -format=json sys/replication/dr/primary/secondary-token id=dr21 | jq -r .wrap_info.token > ${WORKDIR}/dr_token2.txt
cat ${WORKDIR}/dr_token2.txt

eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NvciI6IiIsImFkZHIiOiJodHRwczovLzEwLjI0NC4wLjM0OjgyMDAiLCJleHAiOjE2OTQ2Nzg5MzEsImlhdCI6MTY5NDY3NzEzMSwianRpIjoiaHZzLjhrTVdCM3hOQUFsRHVmU3ptQnJydUcwdyIsIm5iZiI6MTY5NDY3NzEyNiwidHlwZSI6IndyYXBwaW5nIn0.ABQavi6KCnsfoS37YixXEeKIKLBH6HV4pZnoSazToZgmmevPiqwRc6CbqYZmjsHy13fSn4S7hCPG-Gm0RwW3ohTHAJ3Z87LccghHOc13zm3uSFDtsZ2lVNrtZt3iyRATUxAk_uonJNPxnNUGQnXPvgHz7piC45Zrs89JGNfzYw7UggGc


## Old Primary
### Update primary Address

In [13]:
%%bash
# Update primary list
export VAULT_TOKEN=$(cat ${WORKDIR}/clusterdr-keys.json | jq -r ".root_token") 
export VAULT_ADDR=https://127.0.0.1:8200  
export VAULT_CACERT=/tmp/vault/vault.ca 

vault write /sys/replication/dr/secondary/update-primary \
    dr_operation_token=$(cat ${WORKDIR}/dr-operation.txt) \
    token=$(cat ${WORKDIR}/dr_token2.txt) \
    ca_file=/vault/userconfig/vault-ha-tls/vault.ca \
    primary_api_addr=https://vaultdr-active.vaultdr.svc.cluster.local:8200


  * Vault has successfully found secondary information; it may take a while to
  perform setup tasks. Vault will be unavailable until these tasks and initial
  sync complete.

