We are upgrading Vault helm to 0.20.0
- Running Raft storage / 3 replicas / single Cluster / HA mode active
- Using aws kms seal and auto unseal.
- Persistent volumes host the vault config behind.
Recovery Seal type is Shamir, we do not have the Root key (Shamir) from when the Vault was originally deployed.
- Launched new Node Group, new Vault Pods created and initialised correctly assigning the Leader. 3 pods were unsealed using aws-kms
- We have done a Dry Run of Helm install and receive no errors.
- Snapshot was taken from exec inside the Vault Pods using backup procedure: vault operator raft snapshot save backup.snap
Seal/Unseal - Upon running the new Helm Vault version image the new Pods will launch using aws-kms unsealing/sealing process.
Once the New Pods are created, will it require the Shamir keys to unseal?
Or - Will aws-kms key handle this correctly and unseal similarly to when new node group was launched?
Can we continue upgrading Vault versions without Shamir root, using auto unseal aws-kms or should we deploy a totally new Vault app install?
Vault is currently running in Production cluster and requires version upgrade but we were not provided Shamir.
Support would be appreciated.
references: