Enterprise Kubernetes, delivered

Tectonic ships with CoreOS's signature automated operations, runs multi-cloud, and is the fastest, most secure path to Kubernetes.

Upgrading Vault Cluster

This document describes how to upgrade an HA-enabled Vault cluster. Vault operator simulates the suggested upgrade process as recommended in official Vault upgrade docs: https://www.vaultproject.io/guides/upgrading/index.html#ha-installations


  • Before upgrading to a specific version, see the official Vault upgrade docs: https://www.vaultproject.io/guides/upgrading/index.html
  • Read Configuring Vault nodes

Upgrade the Vault nodes

Create the following Vault CR to use as the basis for the upgrade:

apiVersion: "vault.security.coreos.com/v1alpha1"
kind: "VaultService"
  name: "example"
  nodes: 2
  version: "0.8.3-0"

After the Vault cluster is deployed and unsealed, there will be one active and one standby node.

Use kubectl to upgrade to Vault 0.9.0-0:

kubectl -n default get vault example -o yaml | sed 's/version: 0.8.3-0/version: 0.9.0-0/g' | kubectl apply -f -

Vault-operator will upgrade all nodes except the active node to keep service availability. After upgrade, 2 Vault nodes of the target version and 1 active node of the old version will exist.

Unseal all the upgraded nodes

After all upgraded nodes are unsealed, vault-operator will enforce the old version active node to step down and exit gracefully. One of the two new version standby nodes will take over and become active.