<img align=right src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=150>
<img src=images/acme.jpeg width=100 align="left">
<img src=images/vault-cluster1.png width=900 >

## Vaults Setup

**Shell alias setup**

In [1]:
source ~/.zshrc

In [16]:
alias |grep -i "evault[1-3]"

evault1='VAULT_ADDR=http://127.0.0.1:8200 vaulte $@'
evault2='VAULT_ADDR=http://127.0.0.1:8202 vaulte $@'
evault3='VAULT_ADDR=http://127.0.0.1:8204 vaulte $@'


In [1]:
alias |grep -i "evrd[1-3]"

evrd1='VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8200 evault server -log-level=trace -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 -dev-ha -dev-transactional'
evrd2='VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8202 evault server -log-level=trace -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8202 -dev-ha -dev-transactional'
evrd3='VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8204 evault server -log-level=trace -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8204 -dev-ha -dev-transactional'


### Launch 3 Vault servers, each on its own windows
  
Model is as follows
```
+---------------------------------+                    +------------------------------------+
| vault1 port:8200                |                    | vault2 port: 8202                  |
| Performance primary replication |    +----------->   | Performance secondary replication  |
| DR primary replication          |                    | (vault1 -> vault2)                 |
|                                 |                    |                                    |
+---------------------------------+                    +------------------------------------+
               +
               |
               v
+---------------------------------+
| vault3 port:8204                |
| DR secondary replication        |
| (vault1 -> vault3)              |
|                                 |
+---------------------------------+
```
Make sure you record the unseal key for each Vault server.


### License Vault (Optional)

In [13]:
VAULT_ADDR="http://127.0.0.1:8200"; curl \
    --insecure \
    --header "X-Vault-Token: $VAULT_ROOT_TOKEN" \
    --request PUT \
    --data @/Users/tio/Documents/vault_license.json \
    $VAULT_ADDR/sys/license

{"errors":[]}


### Vault1 - create users, policies and secrets on the primary cluster

In [12]:
vault1 login root > /dev/null
echo "----"
vault1 auth enable userpass
echo '
path "*" {
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}' | vault1 policy write vault-admin -

echo '
path "supersecret/*" {
  capabilities = ["list", "read"]
}' | vault1 policy write user -

vault1 write auth/userpass/users/vault password=vault policies=vault-admin
vault1 write auth/userpass/users/drtest password=drtest policies=user
echo "----"
vault1 secrets enable -path=supersecret generic

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                root
token_accessor       Ny1ESA47styjDXND2Uewj67P
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"][0m
----
[0mSuccess! Enabled userpass auth method at: userpass/[0m
[0mSuccess! Uploaded policy: vault-admin[0m
[0mSuccess! Uploaded policy: user[0m
[0mSuccess! Data written to: auth/userpass/users/vault[0m
[0mSuccess! Data written to: auth/userpass/users/drtest[0m
----
[0mSuccess! Enabled the generic secrets engine at: supersecret/[0m


### Setup Performance Replication (Vault -> Vault2)

In [13]:
vault1 login root > /dev/null
vault1 write -f sys/replication/performance/primary/enable
sleep 10
PRIMARY_PERF_TOKEN=$(vault1 write -format=json sys/replication/performance/primary/secondary-token id=vault2 \
  | jq --raw-output '.wrap_info .token' )
echo "---"
vault2 login root > /dev/null
vault2 write sys/replication/performance/secondary/enable token=${PRIMARY_PERF_TOKEN}

[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                root
token_accessor       Ny1ESA47styjDXND2Uewj67P
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"][0m
[0m
[93m  * This cluster is being enabled as a primary for replication. Vault will be
  unavailable for a brief period and will resume service shortly.[0m
[93m[0m
---
[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                root
token_accessor       JAefFJTBD

#### Validation 
Enable another secret engine on Vault1, configure it *not* to be replicated and perform validations:
* of Performance Replication on the Secondary cluser (Vault2)
* of Performance Replication on the Primary cluster (Vault1)


### Setup DR Replication (Vault1 -> Vault3)

In [3]:
vault1 login root > /dev/null
vault1 write -f /sys/replication/dr/primary/enable
sleep 10
PRIMARY_DR_TOKEN=$(vault1 write -format=json /sys/replication/dr/primary/secondary-token id="vault3" | jq --raw-output '.wrap_info .token' )
vault3 login root > /dev/null
vault3 write /sys/replication/dr/secondary/enable token=${PRIMARY_DR_TOKEN}

[91mError writing data to sys/replication/dr/primary/enable: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/replication/dr/primary/enable
Code: 400. Errors:

* cluster is already a dr primary in a replication set and updated 'primary_cluster_addr' not given[0m
Error writing data to sys/replication/dr/primary/secondary-token: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/replication/dr/primary/secondary-token
Code: 400. Errors:

* secondary cluster with id "vault3" is already activated
[91mError writing data to sys/replication/dr/secondary/enable: Error making API request.

URL: PUT http://127.0.0.1:8204/v1/sys/replication/dr/secondary/enable
Code: 500. Errors:

* 1 error occurred:
	* error unmarshalling secondary token: 'data' being decoded is nil

[0m


#### Validation of DR

In [6]:
vault3 read -format=json sys/replication/status |jq

[1;39m{
  [0m[34;1m"request_id"[0m[1;39m: [0m[0;32m"ec5a59b4-ce4b-908b-91c3-abd4e92dba78"[0m[1;39m,
  [0m[34;1m"lease_id"[0m[1;39m: [0m[0;32m""[0m[1;39m,
  [0m[34;1m"lease_duration"[0m[1;39m: [0m[0;39m0[0m[1;39m,
  [0m[34;1m"renewable"[0m[1;39m: [0m[0;39mfalse[0m[1;39m,
  [0m[34;1m"data"[0m[1;39m: [0m[1;39m{
    [0m[34;1m"dr"[0m[1;39m: [0m[1;39m{
      [0m[34;1m"cluster_id"[0m[1;39m: [0m[0;32m"bfc4658e-c6ee-0156-50b0-780125356cba"[0m[1;39m,
      [0m[34;1m"connection_state"[0m[1;39m: [0m[0;32m"ready"[0m[1;39m,
      [0m[34;1m"known_primary_cluster_addrs"[0m[1;39m: [0m[1;39m[
        [0;32m"https://127.0.0.1:8201"[0m[1;39m
      [1;39m][0m[1;39m,
      [0m[34;1m"last_reindex_epoch"[0m[1;39m: [0m[0;32m"1609050391"[0m[1;39m,
      [0m[34;1m"last_remote_wal"[0m[1;39m: [0m[0;39m126[0m[1;39m,
      [0m[34;1m"merkle_root"[0m[1;39m: [0m[0;32m"7d903e24ff6837a4606a42005fdb7fe342a89ed1"[0m[1;39m,
    

### Promote DR Secondary (Vault3) to Primary Cluster
Shutdown Vault1

Generate operation token on Vault3

$ vault operator generate-root -dr-token -otp="vZUKRgIcHMgwNeB8T9jf0YwUvm" -decode="BXRjc2QLECsbfDQtJSEtVhxRHQRYPx8DGio"

s.686lYHS1SZkDonHhwbhfhVlG

curl -s http://127.0.0.1:8204/v1/sys/replication/dr/secondary/generate-operation-token/attempt | jq

Next generate OTP (one time pasword)
DR_OTP=$(vault3 operator generate-root -dr-token -generate-otp)

Create Nonce
NONCE=$(vault3 operator generate-root -dr-token -init -otp=${DR_OTP} |grep -i nonce | awk '{print $2}')



### Swing it back - Vault1 is back to become Primary

Run `vrd1` - starts empty Vault   
Configure Vault1 to become DR Secondary   
Demote Vault3  

[91mError writing data to sys/replication/dr/primary/disable: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/replication/dr/primary/disable
Code: 400. Errors:

* cluster does not have a DR replication state that allows disabling[0m
[91mError writing data to sys/replication/performance/primary/disable: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/replication/performance/primary/disable
Code: 400. Errors:

* cluster does not have a performance replication state that allows disabling[0m


### Promote DR Secondary (Vault2) to Primary

&nbsp;

---
#### Thank you.
<img src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=100 class="center">