Right, each node needs to be migrated separately. You shouldn't have to do a "vault operator step-down" since the first node should automatically become the cluster leader.
Hi bryan i was installed vault on the cluster in the new name space and service account i'm unable to perform auto unseal using AWSKMS i think i'm missing some points over here i don't have configuration file to change here just i'm creating new file and applying the changes but it is not reflecting
KMS keys in AWS don't expire....unless you schedule it for deletion. But...don't do that, haha. It's the equivalent of encrypting data with a PGP key and then losing the private key - you can't decrypt the data. For Vault, this means you will NOT be able to unseal Vault if the service gets restarted, and you should export/migrate data to a new cluster immediately.
Thanks we are in exact situation. we just moved from onprem to EKS, we thought of using autounseal. Q: Do we have any kubernetes vault operator that does migration ?
A new video explaining how to migrate from aws kms to shamir again would be appreciated :)
Amazing explanation. Thanks a lot for sharing.
Glad it was helpful!
if you have a raft cluster, you need to do this "unseal -migrate" on followers, but do a "vault operator step-down" on the leader.
Right, each node needs to be migrated separately. You shouldn't have to do a "vault operator step-down" since the first node should automatically become the cluster leader.
Hi bryan i was installed vault on the cluster in the new name space and service account i'm unable to perform auto unseal using AWSKMS i think i'm missing some points over here i don't have configuration file to change here just i'm creating new file and applying the changes but it is not reflecting
Amazing... You help save a significant amount of time. :D
Glad to hear that!
Great tutorial!
What happened when kms key expired? Do you have to update vault config periodically?
KMS keys in AWS don't expire....unless you schedule it for deletion. But...don't do that, haha. It's the equivalent of encrypting data with a PGP key and then losing the private key - you can't decrypt the data.
For Vault, this means you will NOT be able to unseal Vault if the service gets restarted, and you should export/migrate data to a new cluster immediately.
Thanks we are in exact situation. we just moved from onprem to EKS, we thought of using autounseal.
Q: Do we have any kubernetes vault operator that does migration ?
I don't think the Vault Operator will help with migration in this case.