FTR: allow snapshot restore without initializing the cluster first #30611
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Is your feature request related to a problem? Please describe.
When restoring a raft snapshot as per the SOP https://docs.hashicorp.com/vault/tutorials/standard-procedures/sop-restore to a cluster, it has to be initialized and unsealed first. However, as stated in the SOP and in https://discuss.hashicorp.com/t/performing-restore-from-snapshot-invalidates-existing-auto-unseal-recovery-keys/55326 , all content of that cluster (especially unseal/recovery keys) is removed/overwritten with the backup content.
Thus the requirement to have an initialized+unseald cluster introduces a new set of secrets and operation procedure to deal with them (and mental capacity to separate them from the actually needed stuff), without actually needing these.
Describe the solution you'd like
Allow restoring into an empty cluster, which has not been initialized, and implicitly don't require unsealing in that case.
vault statustells me "Initialized: false", so the cluster knows if it has any content, and can distinguish that case from an initialized (possibly filled with content) but sealed cluster.###Describe alternatives you've considered
Explain any additional use-cases
Additional context
The text was updated successfully, but these errors were encountered: