Vault unseal operation needs to happen inside the vault role #19

New Issue

lanson · 2024-08-29T17:35:52Z

lanson commented

2024-08-29 17:35:52 +00:00

Currently, becausethe role was first managed outside of the collection, the unseal operation takes place after the vault deployment role, which causes a few seconds (1-3s), where all vault nodes are sealed, which can lead to issues.

There should be an option inside the vault role to do rolling unseals, using a serial run on the restart + unseal operation if keys are provided to the role.

If no keys are provided, the unseal would just be skipped (to allow bootstrap cases where there is no key available to unseal)

Currently, becausethe role was first managed outside of the collection, the unseal operation takes place after the vault deployment role, which causes a few seconds (1-3s), where all vault nodes are sealed, which can lead to issues. There should be an option inside the vault role to do rolling unseals, using a serial run on the restart + unseal operation if keys are provided to the role. If no keys are provided, the unseal would just be skipped (to allow bootstrap cases where there is no key available to unseal)

lanson added this to the Hashistack-Ansible project 2024-08-29 17:35:52 +00:00

lanson added the

vault

label 2024-09-06 21:52:44 +00:00

lanson closed this issue

2024-09-16 17:16:29 +00:00

Sign in to join this conversation.