search

hashicorp / vault-helm

Helm chart to install Vault and other associated components.
Mozilla Public License 2.0
1.08k stars 875 forks source link

Error migrating vault backend from raft to s3 #552

Open gerardgorrion opened 3 years ago

gerardgorrion commented 3 years ago

Describe the bug Recentñy we want to change standalone vault to HA mode. To do it, we do the migration with the command of migrate, and the config (migrate-old.hcl):

storage_source "s3" {
  bucket     = "namebucket"
  region     = "region"
  access_key = "AWS access key"
  secret_key = "AWS secret key"
}

storage_destination "raft" {
  path = "/vault/data"
  node_id = "vault-0"
}
cluster_addr = "http://vault-0.vault-internal:8201"

We try to migrate the new vault backend from Raft to s3 again. When try to do it, we put the HA mode in standby into node, and try to run the migration config (migrate.hcl):

storage_source "raft" {
  path = "/vault/data/raft"
}

storage_source "s3" {
  bucket     = "namebucket-new"
  region     = "region"
  access_key = "AWS access key"
  secret_key = "AWS secret key"
}

And the success message showed, but no info is backed into s3 bucket (if no exist, show error that backend s3 unrechable).

To Reproduce Steps to reproduce the behavior:

  1. Install chart
  2. Run vault command 
    $ vault operator migrate -config /home/vault/migrate.hcl
Success! All of the keys have been migrated.
  3. See error (vault logs, etc.) --> No logs show into vault pod of migration running

Expected behavior The Raft info should be copied into new s3 bucket.

Environment

Chart values:

    global:
      tlsDisable: false
    injector:
      enabled: false
    server:
      image:
        tag: "1.7.2"
      dataStorage:
        size: 2Gi
        storageClass: "class-sc"
      extraSecretEnvironmentVars: 
        - envName: AWS_ACCESS_KEY_ID
          secretName: vault-conf
          secretKey: aws-secret-access-key
        - envName: AWS_SECRET_ACCESS_KEY
          secretName: vault-conf
          secretKey: aws-secret-key
        - envName: VAULT_AWSKMS_SEAL_KEY_ID
          secretName: vault-conf
          secretKey: kms-key-id
      extraEnvironmentVars:
        VAULT_CACERT: /vault/tls/ca.crt 
      volumes:
        - name: tls 
          secret:
            secretName: vault-tls
      volumeMounts:
        - mountPath: /vault/tls
          name: tls  
          readOnly: true
      ha:
        enabled: true
        replicas: 3
        raft:
          enabled: true
          setNodeId: true
          config: |
            ui = true

            listener "tcp" {
              tls_disable        = "false"
              address            = "[::]:8200"
              cluster_address    = "[::]:8201"
              tls_cert_file      = "/vault/tls/tls.crt"
              tls_key_file       = "/vault/tls/tls.key"
              tls_client_ca_file = "/vault/tls/ca.crt"
            }

            storage "raft" {
              path = "/vault/data"

               retry_join {
                leader_api_addr         = "https://vault-0.vault-internal:8200"
                leader_client_cert_file = "/vault/tls/tls.crt"
                leader_client_key_file  = "/vault/tls/tls.key"
                leader_ca_cert_file     = "/vault/tls/ca.crt"
              }
              retry_join {
                leader_api_addr         = "https://vault-1.vault-internal:8200"
                leader_client_cert_file = "/vault/tls/tls.crt"
                leader_client_key_file  = "/vault/tls/tls.key"
                leader_ca_cert_file     = "/vault/tls/ca.crt"
              }
              retry_join {
                leader_api_addr         = "https://vault-2.vault-internal:8200"
                leader_client_cert_file = "/vault/tls/tls.crt"
                leader_client_key_file  = "/vault/tls/tls.key"
                leader_ca_cert_file     = "/vault/tls/ca.crt"
              }

            }
            seal "awskms" {
              region     = "region"
            }

            disable_mlock = true
            cluster_addr = "https://vault-0.vault-internal:8201"

            service_registration "kubernetes" {}
    ui:
      enabled: true
      publishNotReadyAddresses: true
      activeVaultPodOnly: false
      serviceType: "ClusterIP"
      serviceNodePort: null
      externalPort: 80

Additional context Add any other context about the problem here.

Diksha9394 commented 2 years ago

hay can you list down the steps how you migrate the data I am also doing the same but getting timeout, the reason may be I have not shutdown the vault, not sure how can I shutdown in a pod

heatherezell commented 2 years ago

hay can you list down the steps how you migrate the data I am also doing the same but getting timeout, the reason may be I have not shutdown the vault, not sure how can I shutdown in a pod

You may get better results if you post your questions on our Discuss forum: https://discuss.hashicorp.com/c/vault/30 GitHub is more of a resource for reporting bugs and requesting enhancements, and Discuss is a better forum for asking questions and getting help. Thanks! :)