How to get secret from the old vault

[pivotal-bin-ju]

• ln -s vault old-vault
• modify the values.yml as the link: https://github.com/concourse/hush-house/commit/a67e29530ae62f89c8734d6e1ab5c63494037cf8#diff-d24a33e8880f0c828e714a8df1a93b39L20-R33 (this would have FS as the backend, and use the key for auto-unseal)
• make deploy-old-vault
• kubectl cp vault/vault-0:/vault/data /tmp/data(you can zip the folder then do the copy)
• kubectl cp /tmp/data old-vault/old-vault-0:/vault/data(if you zipped the data, please unzip it)
• kubectl delete -n old-vault /old-vault-0 (recreate the pod)
• kubectl exec -it -n old-vault old-vault-0 /bin/sh, and export VAULT_SKIP_VERIFY=true, then vault login with the token of the old vault in lastpass, you should be able to login. all the old vault data should be there.

• Do the data sync check between the old-vault and vault. We could leverage the migration tool to sync the data. You could either offline mode (export first, then import) or the online mode. Here is the example for online mode.

  • port-forwarding the both vault if they are not reachable from your host.

  • run the verify command. e.g.:

    go run main.go -source-addr="https://localhost:8201" -source-token="7b35793c-a809-7406-b14c-73611506626a" --target-addr="https://localhost:8200" --target-token="s.CAAuHWSvkHkdmmCLS123cT03" --dry-run=true --debug=true --root-path=/concourse/main --root-path=/concourse/shared

    if dry-run=true, the tool does not apply the change to the target vault, just show you the differences.

[pivotal-bin-ju]

Hi @clarafu and @xtreme-sameer-vohra , sorry about data loss of resources team. I can not access the pod anymore, maybe the admin granted me access to the new team and meanwhile I lost access to concourse (That is my guess, I will investigate it later). So I can not verify the steps above. Any problems or questions please just let me know.

[cirocosta]

Thanks for documenting the process, @pivotal-bin-ju !

We've been running ci.concourse-ci.org with secrets all sorted out 😁 going to close this one then (also, resources moved to main team so that we can set them from set-pipeline step - https://concourse-ci.org/set-pipeline-step.html)