Thank you for reading this post, don't forget to subscribe!

есть зада­ча пере­та­щить vault с бэкен­да где исполь­зу­ет­ся file на бекенд где исполь­зу­ет­ся raft

we have vault with some data:

secrets,

access

policies

this vault install with backend file

full resource

 

we will migrate it to raft

kubectl exec -ti -n vault-test vault-test-0 sh

check hostname

hostname
vault-test-0

check name of svc

we need this vault-test-0.vault-test-internal

go to PV

cd /vault/data
/vault/data $

create file for migration

node_id - it is our hostname
cluster_addr - it is our svc

run migration

/vault/data $ vault operator migrate -config=migrate.hcl

if all messages look like INFO and in the end we see:
Success! All of the keys have been migrated.

it means that all OK and we can continue

 

NOW we apply helm chart with raft backend

full resource

terraform apply --target helm_release.vault_test

check installation

as we see pods vault-test-1 vault-test-2 not ready, check it:

it is normal - now check vault vault-test-0

As we see this vault still uses a file backend.

Storage Type file

we need to update this pod

kubectl delete pod -n vault-test vault-test-0
pod "vault-test-0" deleted

wait several seconds and check

as we see now uses raft
Storage Type raft

and all PODS in cluster vault-test-0 = leader

Let's check what will happen if we seal vault-test-0.

enter to another pod

now check data in vault UI

as we see all OK, vault-test-0 sealed and all data accessable from vault-test-1 vault-test-2

After our check, we can unseal vault-test-0, or delete this pod, and it will start and unseal automatically.