So sadly we are still on Vault 1.0.3. Yes we need to upgrade. Meanwhile Alex Roman wants to launch Vault agent 1.4 in Kubernetes because of its templating feature. Which makes sense
But I’m concerned about compatibility issues here. Correct me if I’m wrong, but the normal recommended Hashicorp methodology for updating is
a) Update server cluster first
b) Then update Vault clients
Is the reverse tested or supported?
You’d have to test your usage. Vault Agent will play nicely with older versions, but more than 1-2 major releases would be suspect, esp around auth methods for the agent to use.
Well sure, but “test” is sort of open ended to some extent. We HAVE tested it and it APPEARS to work. What I’m getting at is this
- Am I correct that we are doing things backwards by upgrading agent first, and while it PROBABLY will work, it’s not officially supported?
If you mean enterprise support, that version gap would not be supported. Just supporting 1.x is dicey at this point, given its age.
By test - I meant you should have a full regression/test package around the usage to be sure. While understanding alot of folks might not do this, if Vault is in your critical path, it’d be highly recommended to at least script heavily used auth/secrets in a simple test suite to make sure you get expected results release to release.