Skip to content
GitLab
Unverified Commit a6536f1c authored by hc-github-team-secure-vault-core's avatar hc-github-team-secure-vault-core Committed by GitHub
Browse files

Backport of Add 'Integrated Storage vs. Consul' comparison into stable-website (#14018) 

This pull request was automerged via backport-assistant
parent a370b320
Branches unavailable
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 61 additions and 2 deletions
+61 -2
website/content/docs/concepts/storage.mdx
+ 7
- 2
View file @ a6536f1c
......@@ -20,6 +20,11 @@ Many other options for storage are available with community support - see our
[Storage Configuration](/docs/configuration/storage) section for more
information.
-> **Choosing a storage backend:** Refer to the [integrated storage vs. external
storage](/docs/configuration/storage#integrated-storage-vs-external-storage)
section of the storage configuration page to help make a decision about which
storage backend to use.
## Backups
Due to the highly flexible nature of Vault's potential storage configurations,
......@@ -87,8 +92,8 @@ HashiCorp-supported storage backend, see the instructions linked below. For
other storage backends, follow the documentation of that backend for taking and
restoring backups.
* Integrated Storage [snapshots](/docs/commands/operator/raft#snapshot)
* Consul [snapshots](https://www.consul.io/docs/commands/snapshot.html)
- Integrated Storage [snapshots](/docs/commands/operator/raft#snapshot)
- Consul [snapshots](https://www.consul.io/docs/commands/snapshot.html)
#### Backing up Multiple Clusters
......
website/content/docs/configuration/storage/index.mdx
+ 54
- 0
View file @ a6536f1c
......@@ -40,3 +40,57 @@ storage "file" {
For configuration options which also read an environment variable, the
environment variable will take precedence over values in the configuration
file.
## Integrated storage vs. external storage
HashiCorp recommends using Vault's [integrated
storage](/docs/configuration/storage/raft) for most use cases rather than
configuring another system to store Vault data externally. (Integrated storage is
an **embedded Vault data storage** available in Vault 1.4 or later.) Prior to Vault 1.4, Consul was the recommended Vault storage.
-> **NOTE:** [HCP Vault](https://cloud.hashicorp.com/products/vault) clusters
use integrated storage as their storage backend.
The table below compares the characteristics of integrated storage and external
storage. Suppose you decide that the additional operational complexity of external storage is worth it for your use case. In that case, there are several external storage options to choose from (e.g., [Consul](/docs/configuration/storage/consul), [DynamoDB](/docs/configuration/storage/dynamodb), etc.).
| | Integrated Storage | External Storage |
| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| HashiCorp Supported | Yes | Limited support |
| Operation | Operationally simpler with no additional software installation required. | Must install and configure the external storage environment outside of Vault. For high availability, the external storage should be clustered. |
| Networking | One less network hop. | Extra network hop between Vault and the external storage system (e.g., Consul cluster). |
| Troubleshooting and monitoring | Integrated storage is a part of Vault; therefore, Vault is the only system you need to monitor and troubleshoot. | The source of failure could be the external storage; therefore, you need to check the health of both Vault and the external storage. This requires expertise in the chosen storage backend and additional monitoring of that storage. |
| Data location | The encrypted Vault data is stored on the same host where the Vault server process runs. | The encrypted Vault data is stored where the external storage is located. Therefore, the Vault server and the data storage are hosted on physically separate hosts. |
| System requirements | Avoid "burstable" CPU and storage options. SSDs should be used for the hard drive. <p />See the [Reference Architecture](https://learn.hashicorp.com/tutorials/vault/raft-reference-architecture#system-requirements) guide. | Follow the system requirements given by your chosen storage backend. |
### Integrated storage vs. Consul as Vault storage
[HashiCorp Consul](https://www.consul.io/docs/intro) is a comprehensive
multi-cloud service networking solution including service mesh, service
discovery, and network infrastructure automation. Vault can leverage
Consul's [KV Store](https://www.consul.io/api-docs/kv) to persist Vault data.
The table below highlights the differences between integrated storage and
Consul.
| | Integrated Storage | Consul |
| ------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Deployment | Vault cluster is all you need. | Vault cluster & Consul cluster. <p />Use a dedicated Consul cluster for Vault storage, and it should not be used for other purposes (e.g., service discovery, service mesh). <p />See the [Vault with Consul Storage Reference Architecture](https://learn.hashicorp.com/tutorials/vault/reference-architecture#recommended-architecture) guide. |
| Data location | Data is on disk. | All data is in memory. |
| System requirements | [System requirements](https://learn.hashicorp.com/tutorials/vault/raft-reference-architecture#system-requirements) | [System requirements](https://learn.hashicorp.com/tutorials/vault/reference-architecture#hardware-sizing-for-vault-servers) |
| Snapshots | Normal data backup strategy of your organization. | More frequent snapshots are necessary since data is in memory. |
| Max message size | 1 MiB (Configurable using the [`max_entry_size`](/docs/configuration/storage/raft#max_entry_size) parameter) | 512 KiB (Configurable using the [`kv_max_value_size`](https://www.consul.io/docs/agent/options#kv_max_value_size) parameter) |
If you have a Vault cluster using Consul as its storage backend and wish to
migrate to integrated storage, read the following tutorials:
1. [Preflight Checklist - Migrating to Integrated
Storage](https://learn.hashicorp.com/tutorials/vault/storage-migration-checklist)
1. [Storage Migration tutorial - Consul to Integrated
Storage](https://learn.hashicorp.com/tutorials/vault/raft-migration)
## Learn
Refer to the [Integrated
Storage](https://learn.hashicorp.com/collections/vault/raft) tutorial collection
to learn more about integrated storage.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

免费DevSecOps平台,让您的项目体验完整的DevSecOps流程,让项目更安全