vault-charm

Charm should handle transition to HA during deployment

Bug #1834489 reported by Cory Johns on 2019-06-27

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	vault-charm	Triaged	Wishlist	Unassigned

Bug Description

The currently recommended instructions for deploying Vault as HA requires easyrsa to provide certs for etcd even if Vault is intended to be the primary cert provider.

Having tested and confirmed working bringing Vault up in single-node configuration and then transitioning to HA after etcd has its certs in place (see https://github.com/charmed-kubernetes/kubernetes-docs/pull/207), it seems entirely reasonable to expect the charm to manage this transition automatically when brought up in a fully HA mode.

It should be able to function in single-node mode and defer enabling HA until etcd has its certs, which should only take a moment. Alternatively, it has been discussed that the data stored in etcd isn't actually sensitive and could be allowed to be sent over a non-TLS connection to etcd, but that might require changes to the etcd charm to work and seems less ideal.

Revision history for this message

Cory Johns (johnsca) wrote on 2019-06-27:

Forgot to link to current docs recommending using easyrsa alongside Vault: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/app-vault.html#enabling-ha

Alex Kavanagh (ajkavanagh) on 2019-11-01

Changed in vault-charm:
status:	New → Triaged
importance:	Undecided → Wishlist

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.