How-to: Unseal a sealed Vault K8s unit

Unseal a sealed unit

In the circumstance that a Vault unit restarts, you will have to manually unseal it. This guide walks you through the necessary steps:

Starting from a cluster where one unit is sealed:

$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
demo   microk8s-localhost  microk8s/localhost  3.4.0    unsupported  13:02:12-04:00

App    Version  Status   Scale  Charm      Channel    Rev  Address         Exposed  Message
vault           waiting      3  vault-k8s  1.15/beta  198  10.152.183.208  no       installing agent

Unit      Workload  Agent  Address      Ports  Message
vault/0*  active    idle   10.1.182.38         
vault/1   active    idle   10.1.182.51         
vault/2   blocked   idle   10.1.182.15         Please unseal Vault

Set the VAULT_ADDR variable to the sealed unit:

export VAULT_ADDR=https://$(juju status vault/2 --format=yaml |  yq '.applications.vault.units.vault/2.address'):8200; echo $VAULT_ADDR

Unseal the the unit using the same unseal keys as received during the initialization of the Vault leader:

vault operator unseal -tls-skip-verify EJoB62t286mjUpSQYZg3mOla3lz/bbElVL5OLnj+rpE=

The units will go back to the active/idle state:

$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
demo   microk8s-localhost  microk8s/localhost  3.4.0    unsupported  13:03:26-04:00

App    Version  Status  Scale  Charm      Channel    Rev  Address         Exposed  Message
vault           active      3  vault-k8s  1.15/beta  198  10.152.183.208  no       

Unit      Workload  Agent  Address      Ports  Message
vault/0*  active    idle   10.1.182.38         
vault/1   active    idle   10.1.182.51         
vault/2   active    idle   10.1.182.15