Vault - Reinitilize /update vault

Hello,

we want to reinitialize the vault cluster.
for example: i have an initialized Vault cluster, i want enable or change a config field and reinitialize.

currently we understand it is not allowed, it gives error, vault is already initialized.

please advice.

regards,
Pasha

Hi.

What kind of config would you change?

Based on what I have read in the docs you can change most configs (if you have the rights) after Vault is initialized.

Do you mean change the master or encryption key? That can be after init too. See https://www.vaultproject.io/docs/internals/rotation

Hi,

for example if i have initialized vault with logging level as warning.
if i want to change the warning level as debug for a duration lets say 2 hours and revert to warning level.

Currently i understand that i will have to take backup, destroy/delete the vault, reinit with the log change and couple of times.

is there a way i can change the vault logging level while it is initialised?

regards

Hi pashafirdous,

Log level is not connected to storage: you set it in your config file or on the command line every time you run Vault. It’s not connected to init, except insofar as you can choose the log level to run the CLI init command with.

Also, as of 1.5 (release candidate came out yesterday) you can run vault monitor to stream logs at whatever log level you like, without restarting Vault or modifying the log level of the logs that get written to disk.

Hi Team,

I get what you say, However one of the ask/requirement i have at this point in time is…

If i have initialized vault let’s say with replica count as 2, now if i want to upgrade that to a little higher count as 3/4, in the present work flow i would have to destroy and then init again with new count.

How can i update the replica without destroying it while it is in init mode?, This is just 1 usecase, i might have many others pertaining to it.

If by “replica count” you mean seal shares and thresholds, the rekey command can change those.

When i say replica count it means “no of vault containers/pods” which represents the HA mode.

This is how it looks as an example.

vault-0
vault-1
vault-2

Ah, it sounds like you’re asking about the vault-k8s integration, which I have no experience with. I’m sorry I don’t have an answer for you, other than that it should not require re-initialization. Can you not just upgrade the helm chart and change the settings?