search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.02k stars 4.2k forks source link

Migration from raft to external/internal storage backend #11831

Closed gerardgorrion closed 3 years ago

gerardgorrion commented 3 years ago

Describe the bug Currently, we have a vault deployed into kubernetes, that is into AWS eks services. Now, we don't have any HA, because initial deploy was with s3 backend, using kms to encrypt.

Now we want to use HA, and to no use external storage and using volumen snapshot utility added into kubernetes 1.17, we try to mount it in integrated storage backend, raft mode.

To migrate from standalone s3 backend to HA raft storage, we use vault operator migration, and after that, we can use volumensnapshots to recover vault into same HA mode, raft.

The problem was, we only can recover into raft mode? can we migrate raft data into another backend after the Ha migration?

We deploy as autokms, but on migrate info, vault status show shamir as origin backend (initial deploy was with init and then add kms to unsealed).

The HA mode always use shamir? There're some way to migrate shamir to autokms?

To Reproduce Steps to reproduce the behavior:

  1. Run vault from helm (0.12 version)
  2. Run `vault operator -migrate migrate.hcl

Expected behavior We want to use a HA backend, but we want the possibility to migrate into other backend after change to raft mode.

Environment:

Vault server configuration file(s):

storage_source "s3" {
  bucket     = "storage to migrate"
  region     = "region"
  access_key = "access key"
  secret_key = "access key"
}

storage_destination "raft" {
  path = "/vault/data"
  node_id = "vault-0"
}
cluster_addr = "https://vault-0.vault-internal:8201"
    global:
      tlsDisable: false
    injector:
      enabled: false
    server:
      image:
        tag: "1.7.2"
      dataStorage:
        size: 2Gi
        storageClass: "class-sc"
      extraSecretEnvironmentVars: 
        - envName: AWS_ACCESS_KEY_ID
          secretName: vault-conf
          secretKey: aws-secret-access-key
        - envName: AWS_SECRET_ACCESS_KEY
          secretName: vault-conf
          secretKey: aws-secret-key
        - envName: VAULT_AWSKMS_SEAL_KEY_ID
          secretName: vault-conf
          secretKey: kms-key-id
      extraEnvironmentVars:
        VAULT_CACERT: /vault/tls/ca.crt 
      volumes:
        - name: tls 
          secret:
            secretName: vault-tls
      volumeMounts:
        - mountPath: /vault/tls
          name: tls  
          readOnly: true
      ha:
        enabled: true
        replicas: 3
        raft:
          enabled: true
          setNodeId: true
          config: |
            ui = true

            listener "tcp" {
              tls_disable        = "false"
              address            = "[::]:8200"
              cluster_address    = "[::]:8201"
              tls_cert_file      = "/vault/tls/tls.crt"
              tls_key_file       = "/vault/tls/tls.key"
              tls_client_ca_file = "/vault/tls/ca.crt"
            }

            storage "raft" {
              path = "/vault/data"

               retry_join {
                leader_api_addr         = "https://vault-0.vault-internal:8200"
                leader_client_cert_file = "/vault/tls/tls.crt"
                leader_client_key_file  = "/vault/tls/tls.key"
                leader_ca_cert_file     = "/vault/tls/ca.crt"
              }
              retry_join {
                leader_api_addr         = "https://vault-1.vault-internal:8200"
                leader_client_cert_file = "/vault/tls/tls.crt"
                leader_client_key_file  = "/vault/tls/tls.key"
                leader_ca_cert_file     = "/vault/tls/ca.crt"
              }
              retry_join {
                leader_api_addr         = "https://vault-2.vault-internal:8200"
                leader_client_cert_file = "/vault/tls/tls.crt"
                leader_client_key_file  = "/vault/tls/tls.key"
                leader_ca_cert_file     = "/vault/tls/ca.crt"
              }

            }
            seal "awskms" {
              region     = "region"
            }

            disable_mlock = true
            cluster_addr = "https://vault-0.vault-internal:8201"

            service_registration "kubernetes" {}
    ui:
      enabled: true
      publishNotReadyAddresses: true
      activeVaultPodOnly: false
      serviceType: "ClusterIP"
      serviceNodePort: null
      externalPort: 80

Additional context Add any other context about the problem here.

vishalnayak commented 3 years ago

1) You can use auto-unseal with Raft storage. All the options available on the left side bar here are supported.

2) If the goal is to only have HA support while Vault data is still stored in S3, that is supported too with Raft-HA only option. See the ha_storage option here.

3) You can also choose to migrate completely to Raft storage which supports HA as well.

4) To migrate away from Raft storage back to S3, you can use the same vault operator migrate command with source and destination switched.

Hope this helps!