Vault - Unsealing clarification needed

vault-tec · June 22, 2020, 3:48pm

Hello, I read the documentation but to be honest, I was unable to find any direct answers about clustering and auto-unsealing. To be straight:

If I create a cluster and one of the nodes goes down, will this particular node be able to auto-unseal itself? Does any node joining the cluster need to be manually unsealed?
If nodes joining the cluster are obtaining master key automatically what happens in case of all the cluster goes down (crash or planned restart)? Does administrators need to manually unseal all of the nodes or just only one?
In documentation of transit and raft auto-unseal approach one of the vaults is marked as master and auto-unsealing the other vault. Can it be configured that in case of Vault 1 goes down, Vault 2 also will be able to auto-unseal the other vault?
Is there any restriction to mechanisms described by above questions when using auto-unseal (Raft) and all vaults are configured as one cluster?

vault-tec · June 25, 2020, 9:20am

I will reply to myself after checking it manually

Cluster do not have ability to auto-unseal it’s pods. Any pod which goes down need to be manually unsealed
Separate cluster / node is needed to provide auto-unsealing method.
Funny part is that we can create mutual auto-unsealing for two clusters but if all goes down there is a problem with migrating one of it to use Shamir unsealing method. So there is risk that it will be sealed for eternity - https://itnext.io/mutual-auto-unseal-two-vault-clusters-in-kubernetes-465516da98f8