Vault Sealed when tried to restore backup

Consul
1

When I tried to restore an existing backup of keys into vault pods, all pods got sealed and I could not unseal even with unseal Key.
Steps: Backup File k8s-backup

#copying the backup folder into consul sever.
Step 1: kubectl cp /tmp/k8s-backup consul-consul-server-0:/tmp 
#restoring
Step 2: onsul snapshot restore /tmp/k8s-backup

Result in all Vault Pods got sealed and failed to unseal even with unsealing key.

could it be because of consul key has to be passed during the vault initialization?

2

Hi @rdeb22,

Thanks for posting this question. i see that you posted this on GitHub Issues as well. I’ll try focusing the conversation here to answer your questions :slight_smile:

Does this happen consistently? Can you post the steps to replicate it?
How are you doing your backup initially?

Thanks!

3

Hello @jsosulska

Thank you so much for replying, greatly appreciated.

  1. So, I have vault+consul setup in place and have been creating backup and restore using the commands.
consul snapshot save /tmp/k8s-backkup
consul snapshot restore /tmp/k8s-backup

  1. Now I am trying to move my setup to k8s.
    I have launched consul server + vault in k8s in same namespace pods are running.

  2. So, when trying to migrate, Took backup of the keys of the existing consul server (Standalone) and copied to K8s consul-server-pods.

kubectl cp /tmp/k8s-backup consul-consul-server-0:/tmp
  1. After doing that, I see the vault pods, got sealed. vault-0 0/1 running
    Now I tried to unseal them with my unseal key but it’s not getting unsealed sadly.

Thanks in advance.

Also, a question which I think could be a issue, in standalone servers, while initializing the vault server we pass a consul-key which we get while setting up consul server, but this step was not done in k8s, as I followed your official documentation. :slight_smile:

4

Hello @jsosulska

Can you please take a look and provide me a update.

5

Hi @rdeb22,

I am looking into this a bit more. I’ve also asked some folks with a bit more Kubernetes background for help in chiming in :slight_smile:

I’ll update here when I have more information :slight_smile: For anyone reading the thread, feel free to pitch in!

6

Hi @jsosulska this discussion looks vague. I don’t think I would be getting a response ever.