Unsealing OPF Vault instance#

Pre-requisites#

  • OCP Project Admin access to vault namespace

  • Access to OPF Vault root token and unseal keys (there will be 5)

    • These are accessible via the Operate First Bitwarden

Steps#

Verify there are Sealed Pods#

To verify if a Vault pod is in a sealed state first check each Vault pods’ status:

$ oc project vault
$ oc get pods
$ oc get pods | { head -1; grep pf-vault-*; }
NAME                                   READY   STATUS      RESTARTS   AGE
opf-vault-0                            1/1     Running     0          8h
opf-vault-1                            0/1     Running     0          8h
opf-vault-2                            1/1     Running     0          8h

If any of the pods are not ready, you will see 0/1 under the READY column. All pods will appear as 0/1 if they are sealed, see here for this readiness check.

We can further verify this Vault pod is sealed by running:

$ oc rsh opf-vault-1
$ vault status
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    0/3
Unseal Nonce       n/a
Version            1.9.2
Storage Type       raft
HA Enabled         true
$

If you see Sealed true like above, we know this pod (aka Vault node) is in a Sealed state.

Unseal pod#

Specify the following Environment Variables. All values available in Operate-First bitwarden, there are 5 unseal keys, we only need 3 to unseal, pick any 3.:

While rsh’d into the sealed Vault node (i.e. pod) run the following to unseal:

$ vault operator unseal
Key (will be hidden): <enter-unseal-key-1>
$ vault operator unseal
Key (will be hidden): <enter-unseal-key-2>
$ vault operator unseal
Key (will be hidden): <enter-unseal-key-2>

Once done, run the following (while still rsh’d into the pod):

$ oc exec -ti opf-vault-1 -- vault status
/ $ vault status
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
...

Verify that Sealed is set to false.

Confirm that the Vault node has rejoined the cluster:

/ $ vault operator raft list-peers
Node                                    Address                                State       Voter
----                                    -------                                -----       -----
09b66090-446e-3974-bcb1-7080dacc07e7    opf-vault-0.opf-vault-internal:8201    follower    true
56796c78-adac-b69e-8a62-c431b17c8b9b    opf-vault-2.opf-vault-internal:8201    leader      true
e58ab8b5-62d7-cc6f-27e0-79656bfb8ab7    opf-vault-1.opf-vault-internal:8201    follower    true

If you see the other cluster nodes listed, including the node just unsealed. Then you are done.

Troubleshooting#

  • If you encounter Missing Client token error, then follow instructions here.

  • If there are less than 3 nodes, then it’s possible the other nodes are also sealed and the same series of steps need to be repeated for that node.

  • If there are still less than 3 nodes, some nodes may need to be rejoined to the cluster. Instructions [here].