Hi Team,
My requirement is - Setting up highly available vault on kubernetes cluster & Migrating data from existing vault to new vault(which will be setup on k8s).
Couple of questions on this
This depends partly on your setup. So perhaps answering some questions first would help.
I am planning to leverage autounseal concept i.e âauto unseal with aws kmsâ and etcd as storage backend.
Thank you for the information! You mention âplanning toâ, what are you currently using?
details are as follows.
Existing Vault:
aws kms for unseal keys
etcd as storage backend
New Vault(yet to create in k8s)
aws kms for unseal keys
Integrated storage as backend
WIth that setup there are two best possibilities, one easier than the other.
vault operator migrate) from etcd to Raft storage.etcd cluster only to then restore the etcd cluster on the new cluster.Some notes:
vault operator raft list-peers
Thanks a lot for the info. I will give a try on the first option.
hi can you please help me on migration of below scenario.
old setup
gcp kms for unseal keys
gcp storage bucket for backend
new setup
was kms for unseal
raft for backend
I have managed the unseal part but badly stuck with backend
The same steps would work for you. Use the vault operator migrate command to migrate from GCP storage to Raft.
Thanks for your reply I have tried the same steps but getting below error, the issue may be because vault is running mode but not sure how can I stop in pod
Error migrating: error mounting âstorage_destinationâ: failed to create fsm: failed to open bolt file: timeout
What is your mount setup? Permissions, mount type, etc. And what kind of cluster setup do you have? How are they connected?
here is my values.yaml file
global:
enabled: true
tlsDisable: false
injector:
enabled: true
replicas: 1
port: 8080
leaderElector:
enabled: true
metrics:
enabled: false
injector.
image:
repository: âhashicorp/vault-k8sâ
tag: â0.14.2â
pullPolicy: IfNotPresent
agentImage:
repository: âhashicorp/vaultâ
tag: â1.9.3â
cpuLimit: â500mâ
cpuRequest: â250mâ
memLimit: â128Miâ
memRequest: â64Miâ
exitOnRetryFailure: true
staticSecretRenderInterval: ââ
logLevel: âinfoâ
logFormat: âstandardâ
revokeOnShutdown: false
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template âvault.nameâ . }}-agent-injector
app.kubernetes.io/instance: â{{ .Release.Name }}â
component: webhook
topologyKey: kubernetes.io/hostname
server:
enabled: true.
secretKey: âlicenseâ
image:
repository: âhashicorp/vaultâ
tag: â1.9.3â
failureThreshold: 2
initialDelaySeconds: 5
successThreshold: 1
timeoutSeconds: 3
livenessProbe:
enabled: false
path: â/v1/sys/health?standbyok=trueâ
failureThreshold: 2
initialDelaySeconds: 60
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
terminationGracePeriodSeconds: 10
extraVolumes:
- type: secret
name: vault-tls
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template âvault.nameâ . }}
app.kubernetes.io/instance: â{{ .Release.Name }}â
component: server
topologyKey: kubernetes.io/hostname
service:
enabled: true
dataStorage:
enabled: true
size: 50Gi
mountPath: â/vault/dataâ
storageClass: null
enabled: false
size: 50Gi
mountPath: â/vault/auditâ
ha:
enabled: true
replicas: 3
apiAddr: null
raft:
enabled: true
setNodeId: true
config: |
ui = true
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/vault-tls/vault.crt"
tls_key_file = "/vault/userconfig/vault-tls/vault.key"
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
seal "awskms" {
kms_key_id = âxxxxxxâ
disruptionBudget:
enabled: true
maxUnavailable: null
serviceAccount:
create: true
name: âvault-saâ
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::xxxxxxx:role/vault
it is mentioned in the documentation that vault should be offline during migration but I am running in pod so not sure how can I shutdown in pod
I am missing the entry for GCP storage. For Vault to be able to read out the GCP storage it first needs to read it out. Letâs start with that! 
I have migrated all the data to s3 bucket then then I logged in to my pod and created migrate.hcl file with below content
storage_source âs3â {
bucket = âxxxxxâ
region = âxxxxxâ
access_key = âxxxxxâ
secret_key = âxxxxxâ
session_token = ââ
}
storage_destination âraftâ {
path = â/vault/dataâ
node_id = âvault-0â
}
cluster_addr = âhttp://vault-0.vault-internal:8201â
but when I am running the migrator operator getting the below error
Error migrating: error mounting âstorage_destinationâ: failed to create fsm: failed to open bolt file: timeout
If possible can you look into this Using Letsencrypt certificates for Vault setup on kubernetes query
I have migrated the data from gcp bucket to s3 bucket thatâs why my source is s3 also if you can see the issue is with destination not the source, I have gone through itâs document operator migrate - Command | Vault by HashiCorp they mentioned that itâs an offline but I am doing it in k8 cluster so how can I stop vault
When I migrate from file storage to raft storage it creates a vault.db and a raft.db file. But to restore the data on the new cluster I need a .snap file. So I donât understand how to migrate using option 1? Can you please explain in more detail?
If you are migrating file to raft outside of the final destination cluster, you would need to start up a running Vault using your temporary migrated Raft data, and make a backup snapshot from that. You could then restore that snapshot into the final target cluster.