enable postgres as the backend of vault
#87
Conversation
pivotal-bin-ju
force-pushed
the
vault-nci
branch
3 times, most recently
from
7a23baf to
578b2ae
Compare
pivotal-bin-ju
changed the title
vaultvault
pivotal-bin-ju
force-pushed
the
vault-nci
branch
from
578b2ae to
148db48
Compare
pivotal-bin-ju
force-pushed
the
vault-nci
branch
8 times, most recently
from
f3951cb to
7ce778a
Compare
- terraform: add a cloudsql/postgres - chart: use postgres as the backend Signed-off-by: Bin Ju <[email protected]>
pivotal-bin-ju
force-pushed
the
vault-nci
branch
from
7ce778a to
0aa902d
Compare
There was a problem hiding this comment.
It seems pretty good 😁 I'm just concerned about the way that things are represented here - If you're confident that we got all set up correctly, in which case vault is removed in favor of vault-nci (the postgres-backed one) then I think we should have in this commit the removal of the old one, and the addition of the new (rather than the linking, etc) 😁
| 1. How to deploy `vault-nci` | ||
| 1. `git clone https://github.com/concourse/vault-helm` to the `charts` (hush-house/deployments/with-creds/vault/charts) directory. | ||
| 1 `ln -s vault vault-nci` |
There was a problem hiding this comment.
hmmmm this seems like a transitory step that has been used during development 🤔
do you plan to have the deployment named after vault-nci or `vault? I guess the former?
(just because if the latter , then we wouldn't really need #102 as the name of the service and namespace wouldn't change)
if you feel like the transition is good (checked via the scripts that ensure that we got the data transferred well), I'd say these steps aren't needed - we should have in this repo just the final configuration that reflect the environment 🤔
There was a problem hiding this comment.
I've manually back-upped the /vault/data again to make the process more safe if we only keep the vault instance. Anyway the PVC is still attached to vault we could switch back to the FS backend anytime.
I agree.
after the data between `vault` and `vault-nci`, the old vault is going to decommission, the new `vault-nci` becomes `vault`. After the change user can only see the instance `vault`, that would be simple for the later maintenance. Signed-off-by: Bin Ju <[email protected]>
Fixes: concourse/prod#44
This PR can work with the forked repo: https://github.com/concourse/vault-helm
We are going to draft a PR for that later.
I created a new vault -
vault-ncifor test, resilience and migration purpose.the steps are as below:
ln -s vault vault-ncimake creds-vault-ncimake deploy-vault-nciYou can review the PR, but DO NOT Merge the PR until the data migration is done.