diff --git a/jekyll/_cci2/server/v4.1/installation/phase-2-core-services.adoc b/jekyll/_cci2/server/v4.1/installation/phase-2-core-services.adoc index 581b41d121d..d0d287864d8 100644 --- a/jekyll/_cci2/server/v4.1/installation/phase-2-core-services.adoc +++ b/jekyll/_cci2/server/v4.1/installation/phase-2-core-services.adoc @@ -786,9 +786,9 @@ proxy: === n. Encrypting Environment Variables -All environment variables stored in contexts are encrypted using either https://www.vaultproject.io/[Hashicorp Vault] or https://developers.google.com/tink[Google Tink]. By Default, CircleCI server 4.x will use Vault to generate and store encryption keys. +All environment variables stored in contexts are encrypted using either https://developers.google.com/tink[Google Tink] or https://www.vaultproject.io/[Hashicorp Vault]. We recommend the use of Tink as Vault has been deprecated. -==== Use Tink (optional) +==== Use Tink The following steps cover using Tink as an alternative to Vault: @@ -797,7 +797,7 @@ The following steps cover using Tink as an alternative to Vault: [source,yaml] ---- tink: - enabled: false + enabled: true keyset: "" ---- + diff --git a/jekyll/_cci2/server/v4.2/installation/phase-2-core-services.adoc b/jekyll/_cci2/server/v4.2/installation/phase-2-core-services.adoc index b3e211f03c4..1640dc0b483 100644 --- a/jekyll/_cci2/server/v4.2/installation/phase-2-core-services.adoc +++ b/jekyll/_cci2/server/v4.2/installation/phase-2-core-services.adoc @@ -799,9 +799,9 @@ proxy: === n. Encrypting Environment Variables -All environment variables stored in contexts are encrypted using either https://www.vaultproject.io/[Hashicorp Vault] or https://developers.google.com/tink[Google Tink]. By Default, CircleCI server 4.2 will use Vault to generate and store encryption keys. +All environment variables stored in contexts are encrypted using either https://developers.google.com/tink[Google Tink] or https://www.vaultproject.io/[Hashicorp Vault]. We recommend the use of Tink as Vault has been deprecated. -==== Use Tink (optional) +==== Use Tink The following steps cover using Tink as an alternative to Vault: @@ -810,7 +810,7 @@ The following steps cover using Tink as an alternative to Vault: [source,yaml] ---- tink: - enabled: false + enabled: true keyset: "" ---- + diff --git a/jekyll/_cci2/server/v4.2/installation/upgrade-server.adoc b/jekyll/_cci2/server/v4.2/installation/upgrade-server.adoc index 6d4cf210bde..7516a358446 100644 --- a/jekyll/_cci2/server/v4.2/installation/upgrade-server.adoc +++ b/jekyll/_cci2/server/v4.2/installation/upgrade-server.adoc @@ -65,3 +65,8 @@ helm diff upgrade circleci-server oci://cciserver.azurecr.io/circleci-server -n helm upgrade circleci-server oci://cciserver.azurecr.io/circleci-server -n $namespace --version -f --username $USERNAME --password $PASSWORD . Deploy and run link:https://github.com/circleci/realitycheck[`reality check`] in your test environment to ensure your installation is fully operational. + +[#vault] +=== Vault + +We have moved away from Vault to Tink for encryption. The process for migration is link:https://github.com/CircleCI-Public/server-scripts/tree/main/vault-to-tink[documented here], and includes a convenience script to move existing secrets. You should complete the migration to Tink on your v4.2.x installation after upgrading. Customers that do not perform this step may have issues restoring Vault from backup in v4.2. \ No newline at end of file diff --git a/jekyll/_cci2/server/v4.3/installation/phase-2-core-services.adoc b/jekyll/_cci2/server/v4.3/installation/phase-2-core-services.adoc index efe3616bcc9..fd5a07f142d 100644 --- a/jekyll/_cci2/server/v4.3/installation/phase-2-core-services.adoc +++ b/jekyll/_cci2/server/v4.3/installation/phase-2-core-services.adoc @@ -806,9 +806,9 @@ proxy: === n. Encrypting Environment Variables -All environment variables stored in contexts are encrypted using either https://www.vaultproject.io/[Hashicorp Vault] or https://developers.google.com/tink[Google Tink]. By Default, CircleCI server v4.3 will use Vault to generate and store encryption keys. +All environment variables stored in contexts are encrypted using either https://developers.google.com/tink[Google Tink] or https://www.vaultproject.io/[Hashicorp Vault]. We recommend the use of Tink as Vault has been deprecated. -==== Use Tink (optional) +==== Use Tink The following steps cover using Tink as an alternative to Vault: @@ -817,7 +817,7 @@ The following steps cover using Tink as an alternative to Vault: [source,yaml] ---- tink: - enabled: false + enabled: true keyset: "" ---- + diff --git a/jekyll/_cci2/server/v4.4/installation/phase-2-core-services.adoc b/jekyll/_cci2/server/v4.4/installation/phase-2-core-services.adoc index c18fd219c26..1e691530a65 100644 --- a/jekyll/_cci2/server/v4.4/installation/phase-2-core-services.adoc +++ b/jekyll/_cci2/server/v4.4/installation/phase-2-core-services.adoc @@ -806,9 +806,9 @@ proxy: === n. Encrypting Environment Variables -All environment variables stored in contexts are encrypted using either https://www.vaultproject.io/[Hashicorp Vault] or https://developers.google.com/tink[Google Tink]. By Default, CircleCI server v4.4 will use Vault to generate and store encryption keys. +All environment variables stored in contexts are encrypted using either https://developers.google.com/tink[Google Tink] or https://www.vaultproject.io/[Hashicorp Vault]. We recommend the use of Tink as Vault has been deprecated. -==== Use Tink (optional) +==== Use Tink The following steps cover using Tink as an alternative to Vault: @@ -817,7 +817,7 @@ The following steps cover using Tink as an alternative to Vault: [source,yaml] ---- tink: - enabled: false + enabled: true keyset: "" ---- +