Home Explore Help
Register Sign In
AFS
/
infrastructure-notes
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 983b586a02
Branches Tags
infrastructure-...
/
Vault Upgrade Notes.md

Vault Upgrade Notes.md 2.3 KB
History Raw

Vault Upgrade Notes

How do I upgrade Vault? XDR has an HA installation. Vault upgrades are designed that large jumps are supported.

Backups

DynamoDB Backup

AWS Console > DynamoDB > Tables > vault-dynamodb > Backups > Create backup > Create on-demand backup > Customize settings > Backup with DynamoDB

Naming Scheme: vault-pre-upgrade-backup-<current-version>

Instance Backup

Update the profile, InstanceId, and tag and run this command to create snapshots of all volumes. NOTICE: Update InstanceId, profile, and Value first!

aws --profile mdr-test-c2-gov ec2 create-snapshots --instance-specification 'InstanceId=i-0afe11fb13db84d2c,ExcludeBootVolume=false' --tag-specifications 'ResourceType=snapshot,Tags=[{Key=Name,Value=vault-pre-upgrade-backup-1.5.5}]'

Upgrade Steps

READ THIS: https://www.vaultproject.io/docs/upgrading READ ALL Upgrade guides for desired version and all skipped versions

  • Update the vault/init.sls salt file to the desired version.
  • Identify the ACTIVE/SANDBY nodes
    • salt vault* cmd.run cmd='VAULT_SKIP_VERIFY=1 VAULT_ADDR=https://127.0.0.1 vault status'
    • if you see "connection refused", the Vault service is not running
    • STANDBY nodes will show "HA Mode standby"
  • Properly shutdown the STANDBY Vault nodes.
    • cmd.run 'systemctl stop vault'
  • Prep the upgrade by backing up the current Vault binary
    • Vault salt state will not upgrade if the current Vault binary is present
    • cmd.run 'mv /usr/local/bin/vault /usr/local/bin/vault.backup'
  • Apply the salt state on the STANDBY Vault nodes which will replace the vault binary, start the Vault service, and unseal the nodes.
    • state.sls vault --output-diff test=true
  • Verify each STANDBY node is at the correct version and is in standby mode.
    • salt vault* cmd.run cmd='VAULT_SKIP_VERIFY=1 VAULT_ADDR=https://127.0.0.1 vault status'
  • Properly shutdown the ACTIVE node.
  • Prep the upgrade by backing up the current Vault binary
    • Vault salt state will not upgrade if the current Vault binary is present
    • cmd.run 'mv /usr/local/bin/vault /usr/local/bin/vault.backup'
  • Apply the salt state on the previously ACTIVE Vault node which will replace the vault binary, start the Vault service, and unseal the node.
  • Verify the version and HA Mode