Rekeying vault in a raft HA configuration only rekeys the current node. For example, if I have vault1, vault2, and vault3, I can connect to vault1 and rekey it, but vault2 and vault3 still use the old unseal keys. If I were to now connect to vault2 and vault3 and rotate them individually, I now have 3 different sets of unseal keys to manage.
Ideally, when I rotate one node, all the other nodes will also be rotated so I have one set of unseal keys to manage all of them. Is there any way to do this currently? If not, is there anything planned?
Hi Ben,
The intended behaviour is as you describe, a rekey updates all nodes. Please file a github issue and we’ll investigate.
@ben-turner Sorry that you couldn’t get it working the way you expected. We tried reproducing the issue but couldn’t. Maybe the steps you took weren’t ideal. Can you please retry, and if you run into the same issue, let us know. I am happy to share a script that shows how this works.
Thank you both for your replies. I believe this was a problem with the output of vault status in this situation rather than a problem with the actual keying. I haven’t had a chance to explore further now that I have it working but I will be sure to file a bug if I find anything reproducible that I can report.