seal with HA mode may fail #6161
Comments
|
The problem is that sealing a standby node is something that we'd like to allow, and some more recent developments like batch tokens may make it feasible. But IIRC the reason for that comment is that we actually used to forward seal requests and then we got complaints from people with the opposite opinion, who expected the standby node to seal and instead found their active node sealing. We may reconsider that later, or figure out a way to allow sealing standbys directly, but for now it's a single extra step and in many cases isn't (e.g. if you use Consul and look at the active tag), and we're not planning on changing this behavior currently. |
|
thanks for the answer @jefferai! btw another usecase where it fails for me, on UI when I'm logged in as a user with permission to seal vault I can't do so due to very same reason, it is very confusing I used to click seal like 10 times to get it actually sealed :\ |
currently seal in HA mode with LB is inconsistent because the request can arrive to the stand-by node and it fail with no redirection to the leader. So in order to seal vault operator has to get access to the current leader endpoint which in case of emergency may take some extra time...
I've found this https://github.com/hashicorp/vault/blob/master/vault/core.go#L1141-L1145 so it seems it is well-known thing but I think
sealis a pretty essential thing that has to be working properly.btw, is there documentation how
sealworks in HA withautounsealfeature enabled? current error message proposing to restart which will autounseal vault.The text was updated successfully, but these errors were encountered: