Guidance on migrating data from vault/consul (antiquated versions) --> vault/raft (newest)

Vault
1

Hello all, looking for some guidance on moving some data around.

I have inherited a VERY old vault (0.10.0) and consul (1.0.7) infrastructure that I have been charged with getting up to date. Part of the migration process includes getting them on a newer OS and VM hardware as well as using the integrated storage RAFT, so simply upgrading the current systems is not an option.

The approach I would like to take is to build a new vault cluster with RAFT storage, and use the vault migration tool, but I am running into issues configuring the migration config.

vault and consul configs of old servers (some sensitive names and data removed)
VAULT CONFIG

{
“api_addr”:“https://vault-1.dev.mydomain.com:8200”,
“backend”:{
“consul”:{
“address”:“localhost:8443”,
“scheme”:“https”,
“tls_ca_file”:"/etc/ssl/certs/mydomain.com-ca.pem",
“tls_cert_file”:"/etc/ssl/certs/vault-1.dev.mydomain.com.crt.pem",
“tls_key_file”:"/etc/ssl/private/vault-1.dev.mydomain.com.key.pem",
“tls_min_version”:“tls12”,
“tls_skip_verify”:“false”,
“token”:“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
}
},
“cluster_addr”:“https://vault-1.dev.mydomain.com:8201”,
“listener”:{
“tcp”:{
“address”:“10.186.134.90:8200”,
“cluster_address”:“10.186.134.90:8201”,
“tls_cert_file”:"/etc/ssl/certs/vault-1.dev.mydomain.com.crt.pem",
“tls_client_ca_file”:"/etc/ssl/certs/mydomain.com-ca.pem",
“tls_disable”:0,
“tls_key_file”:"/etc/ssl/private/vault-1.dev.mydomain.com.key.pem",
“tls_min_version”:“tls12”
}
},
“ui”:true
}

CONSUL CONFIG

{
“acl_token”: “xxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“addresses”: {
“https”: “127.0.0.1”
},
“bind_addr”: “10.186.134.90”,
“ca_file”: “/etc/ssl/certs/mydomain.com-ca.pem”,
“cert_file”: “/etc/ssl/certs/vault-1.dev.mydomain.com.crt.pem”,
“client_addr”: “10.186.134.90”,
“data_dir”: “/opt/consul”,
“datacenter”: “dev-backbone”,
“enable_syslog”: true,
“encrypt”: “xxxxxxxxxxxxxxxxxx”,
“key_file”: “/etc/ssl/private/vault-1.dev.mydomain.com.key.pem”,
“log_level”: “INFO”,
“node_name”: “vault-1”,
“ports”: {
“https”: 8443
},
“retry_join”: [
consul-1.dev.mydomain.com”,
consul-2.dev.mydomain.com”,
consul-3.dev.mydomain.com
],
“server”: false
}

I started with a migration HCL config like this:

storage_source “consul” {
address = “10.186.134.90:8443”
path = “vault”
}

storage_destination “raft” {
path = “/opt/vault/raft/raft”
node_id = “node2”
}

but getting errors, some i understand (raft db already exists, vault running, you know the standard user errors :slight_smile: ) but even when executed correctly (i think) im still getting connection errors and such.

Does anyone have any advice on this topic?
Thanks in advance!

Chris

2

Error migrating: error checking migration status: Unexpected response code: 400