Vault Upgrade Path

Hello,

I have a Vault instance (v0.11.3) using Consul (v1.2.3) as a backend. Currently it’s a 5-node cluster, running as Docker containers in a group of 5 virtual machines.

I’m looking to upgrade my cluster to the latest (or at least 1.5+). I have done upgrades before and I’ve always done 1 version increment at a time (for example, 0.8 → 0.9 → 0.10 → 0.11). Please note that I have a test cluster that mimics the production setup, which I use to test all upgrades first. I have a couple questions:

  1. Let’s say I’ve checked the changelog and official Vault upgrade docs and I don’t notice anything that would “break” my setup. Is it required to upgrade in 1 major version increments (as I describe above)? Or could I go straight from 1.1.3 to 1.3.10, for example?

  2. Since I’m using Consul as the backend, is the Vault version dependent on the Consul version? I didn’t see any mention of this in the upgrade docs. In other words, can I upgrade Vault from 0.11 to 1.5 without upgrading Consul?

Also, I would be interested to hear from anyone that has done a similar multi-version upgrade. Are there any recommendations or pitfalls I should be aware of?

I can provide more information if needed. Thank you very much.

Not required, but 0.x is pretty dated. I would go to 1.1, then 1.6 but have zero hard facts on if going straight to 1.6 would break anything. I have done 1.1 right to 1.5.

No it is not. But as you upgrade Consul, be mindful of the ACL change around 1.4 or 1.6?
I’d move to integrated storage unless you have specific Consul needs. Upgrade Vault only, then migrate to int storage, and get out of the Consul management just for Vault (of course keep using Consul if you need to for service discovery/registration/DNS/etc).

1 Like

I’m glad to hear this version jump worked for you. Hopefully this will save me some time. I didn’t plan to go straight to 1.6 anyway. Thank you!

Great to know! I’ll keep this in mind.

I just read the docs on integrated storage. Very interesting. Our apps have pretty tight integration with not only Vault, but also the Consul KV. Moving to integrated storage might require some refactoring.

According to this doc, integrated storage is bootstrapped during the initialization process. Do you know if an existing Vault cluster can be changed to integrated storage without creating a separate Vault instance and somehow migrating the data?

You can do an in place migration with vault operator migrate

So you would upgrade to 1.5.x first, atop Consul, then migrate from Consul to integrated storage.

1 Like