Upgrading Hashicorp Vault
Note
This guide refers to the Vault cluster that can be deployed with Tarook through yk8s.k8s-service-layer.vault, not the instance of Vault used by Tarook to store secrets.
Procedure
Follow the instructions for “Upgrading Vault on Kubernetes” in HashiCorp Vault’s documentation: https://developer.hashicorp.com/vault/docs/v1.19.x/deploy/kubernetes/helm/run#upgrading-vault-on-kubernetes.
Additional notes:
For backing up Vault, do one of the following actions:
Configure automatic backups (recommended)
Create a Raft storage snapshot
vault operator raft snapshot save ./vault-raft-snapshot
You may quickly verify that the snapshot is valid by running
vault operator raft snapshot inspect ./vault-raft-snapshot.
Tarook uses Helm to deploy Vault. Instead of interacting with Helm directly, do the following:
Set yk8s.k8s-service-layer.vault.chart_version to the new version of the Vault Helm chart you want to deploy
Rollout the new version
./managed-k8s/actions/apply-k8s-supplements.sh install-vault.yaml
Tarook configures the Vault Helm chart to deploy Vault in
hamode with 3 replicas, therefore follow the instructions specific tohamode.Removing the standby peers from Raft before deleting their Pods is not strictly needed.
If you still remove them, note that Vault does not support rejoining peers into the cluster. Instead, those need to be joined as new peers which can be done by deleting the corresponding PersistentVolumeClaims along with the Pods.