Closed gerardgorrion closed 3 years ago
1) You can use auto-unseal with Raft storage. All the options available on the left side bar here are supported.
2) If the goal is to only have HA support while Vault data is still stored in S3, that is supported too with Raft-HA only option. See the ha_storage
option here.
3) You can also choose to migrate completely to Raft storage which supports HA as well.
4) To migrate away from Raft storage back to S3, you can use the same vault operator migrate
command with source and destination switched.
Hope this helps!
Describe the bug Currently, we have a vault deployed into kubernetes, that is into AWS eks services. Now, we don't have any HA, because initial deploy was with s3 backend, using kms to encrypt.
Now we want to use HA, and to no use external storage and using volumen snapshot utility added into kubernetes 1.17, we try to mount it in integrated storage backend, raft mode.
To migrate from standalone s3 backend to HA raft storage, we use vault operator migration, and after that, we can use volumensnapshots to recover vault into same HA mode, raft.
The problem was, we only can recover into raft mode? can we migrate raft data into another backend after the Ha migration?
We deploy as autokms, but on migrate info, vault status show shamir as origin backend (initial deploy was with init and then add kms to unsealed).
The HA mode always use shamir? There're some way to migrate shamir to autokms?
To Reproduce Steps to reproduce the behavior:
Expected behavior We want to use a HA backend, but we want the possibility to migrate into other backend after change to raft mode.
Environment:
vault status
): 1.7.2vault version
): Vault v1.7.2 (db0e4245d5119b5929e611ea4d9bf66e47f3f208)Vault server configuration file(s):
Additional context Add any other context about the problem here.