Search code examples
google-kubernetes-enginekubernetes-helmhashicorp-vault

How to Helm uninstall specific elements of a release for Vault

An issue with a deployment of Hashicorp Vault within GKE clusters in GCP (not auto-generating it's certificate) meant we had an issue where new Agents and the Agent-Injector had to be updated and redeployed. Whilst the version number of the agents and injector was updated in the Helm Chart, a redployment didn't refresh the cert; this only worked by uninstalling and then reapplying.

Therefore the operation was:

HELM UNINSTALL VAULT
TERRAFORM APPLY VAULT

That was fine for all clusters. The remaining cluster is where the Vault Server is also deployed. In the Namespace for the Server, we have the following running pods:

NAME                                    READY   STATUS      RESTARTS       AGE
vault-0                                 1/1     Running     7 (3d1h ago)   47d
vault-1                                 1/1     Running     3 (3d1h ago)   47d
vault-2                                 1/1     Running     7 (3d1h ago)   47d
vault-agent-injector-6866bb887c-4lnm9   1/1     Running     4 (26d ago)    47d
vault-agent-injector-6866bb887c-nc2xq   1/1     Running     3 (26d ago)    47d
vault-agent-injector-6866bb887c-nhkmz   1/1     Running     0              47d
vault-backup-cronjob-28023840-ggqrw     0/1     Completed   0              3d13h
vault-backup-cronjob-28025280-4ww42     0/1     Completed   0              2d13h
vault-backup-cronjob-28026720-wnzn9     0/1     Completed   0              37h
vault-backup-cronjob-28028160-n4x49     0/1     Completed   0              13h

We now need to remove this last injector but don't want to impact the Server, and importantly, the actual data.

Is the data held in a StatefulSet\GCS and thus not removed as part of a HELM UNINSTALL? Concerned on losing the underlying data so need to understand how to perform the injector delete and redeploy without impacting the Vault data.

Hoping to perform the same operation as above but maybe not expecting to see the Vault-x destroyed, or if so, to see the underlying data still intact and restored into Vault on Apply

Solution

  • If you are regenerating the cert by uninstalling and reinstalling the Vault infrastructure with Helm (assuming the reinstall is a subset of the Terraform application mentioned; without further information will be making assumptions about that) instead of an upgrade, then the Vault workloads denoted enumerably with vault-n will be removed. However, the workloads are part of a StatefulSet, and so the data will be preserved. However again as a caveat, the workload redeployment and re-attachment to the PV with the PVC will cause the Vault cluster to require a re-unsealing. If you are unable to unseal the Vault cluster with the original keys (either automatically or manually), then this will cause the Vault cluster to become inoperable.