DR Post-Install Verification Checklist

After deploying a DR primary + standby pair, run these checks to confirm correct configuration.

Replace <NAMESPACE> with your LogScale namespace (default: log).

Encryption Key Sync

The standby must hold the same encryption key as the primary to decrypt GCS snapshots during recovery.

On PRIMARY

shell

kubectl get secret <INFRA_PREFIX>-gcp-storage-encryption-key -n <NAMESPACE> \
  -o jsonpath='{.data.gcp-storage-encryption-key}' | base64 -d | shasum -a 256

On STANDBY

shell

kubectl get secret dr-secondary-gcs-storage-encryption -n <NAMESPACE> \
  -o jsonpath='{.data.gcp-storage-encryption-key}' | base64 -d | shasum -a 256

Pass: Both SHA256 hashes are identical.

Recovery Environment Variables (STANDBY only)

shell

POD=$(kubectl get pods -n <NAMESPACE> -l app.kubernetes.io/name=humio -o name | head -1)

Variable	Expected	Command
`GCP_RECOVER_FROM_BUCKET`	<primary-bucket-name>	`kubectl exec $POD -n <NAMESPACE> -- env \\| grep GCP_RECOVER_FROM_BUCKET`
`GCP_RECOVER_FROM_WORKLOAD_IDENTITY`	true	`kubectl exec $POD -n <NAMESPACE> -- env \\| grep GCP_RECOVER_FROM_WORKLOAD_IDENTITY`
`GCP_RECOVER_FROM_REPLACE_REGION`	<primary-region>/<standby-region>	`kubectl exec $POD -n <NAMESPACE> -- env \\| grep GCP_RECOVER_FROM_REPLACE_REGION`
`GCP_RECOVER_FROM_REPLACE_BUCKET`	<primary-bucket>/<standby-bucket>	`kubectl exec $POD -n <NAMESPACE> -- env \\| grep GCP_RECOVER_FROM_REPLACE_BUCKET`
`GCP_RECOVER_FROM_REGION`	Not set	`kubectl exec $POD -n <NAMESPACE> -- env \\| grep GCP_RECOVER_FROM_REGION \\|\\| echo 'NOT SET (correct)'`
`ENABLE_ALERTS`	false	kubectl exec $POD -n <NAMESPACE> -- env \\| grep ENABLE_ALERTS

GCS Cross-Region Access

shell

kubectl exec $POD -n <NAMESPACE> -- \
  gcloud storage ls gs://<primary-bucket-name>/ --limit=5

Pass: Lists objects (or empty output for new bucket). Must NOT show AccessDeniedException.

shell

terraform output -json | jq '{
  recover_from_bucket: .gcp_recover_from_bucket.value,
  recover_from_encryption_key_secret: .gcp_recover_from_encryption_key_secret_name.value,
  primary_bucket: .dr_primary_gcs_bucket.value
}'

Pass: recover_from_bucket matches the primary's actual GCS bucket name.

Summary

Check	Where	Pass Criteria
Encryption key hash	Primary + Standby	SHA256 identical
`GCP_RECOVER_FROM_BUCKET`	Standby	Primary's bucket name
`GCP_RECOVER_FROM_WORKLOAD_IDENTITY`	Standby	true
`GCP_RECOVER_FROM_REPLACE_REGION`	Standby	<primary-region>/<standby-region>
`GCP_RECOVER_FROM_REPLACE_BUCKET`	Standby	<primary-bucket>/<standby-bucket>
`GCP_RECOVER_FROM_ENCRYPTION_KEY`	Standby	secretKeyRef resolves
`GCP_RECOVER_FROM_REGION`	Standby	Not set
`ENABLE_ALERTS`	Standby	false
GCS cross-region read	Standby	No `AccessDeniedException`
Terraform outputs	Standby	Bucket names match

Versions of this Page

Deployment Overview

Planning Your Deployment

Instance Sizing

Storage Architecture

Installing Using Containers

Installing On Bare Metal or Cloud Instance

Reference Architectures

Installing Load Balancers

Deploying Auxiliary Services

Configuration Settings

Managing Your Deployment

Testing Your Deployment

DR Post-Install Verification Checklist

Encryption Key Sync

Recovery Environment Variables (STANDBY only)

GCS Cross-Region Access

Summary

Enter search term