Vault downgrade

[Николай Мишин]

Hi !

Is it possible downgrade Vault >= 0.8.3  to the 0.7.2  without data loss?

I now kv backend type was not introduced until 0.8.3 and according to this I have an error:
core: failed to create mount entry: path=secret/ error=unknown backend type: kv

Thanks!

[Becca Petrin]

Hi!

It's hard to say. When we're releasing a new version of Vault, we tend to test that upgrade paths work, but not downgrade paths. We do also try to maintain backwards-compatibility. However, things do change over time with the API and we don't strictly follow semantic versioning, so there is some risk of impact to your production environment.

Probably the best way to see if downgrading effects anything would be to make a backup of your data, then try the downgrade on the backup data on a staging or development Vault instance. That would reveal anything effected. If you didn't want to go to that level of effort, you could also check the changelog for anything that might effect you between those versions. If you're comfortable with Github, you could also check the website docs. You could look at the docs for what you're using when Vault was at each version.

What auth and secrets engines are you using? And what storage backend?

-Becca

[Vasilev Vjacheslav]

Hi,

You can try with the following high-level steps, but in the end will be required to do something with the kv manually:
1) make a fresh backup of a storage backend (e.g. consul snapshot)
2) vault unmount secret
3) downgrade

[Николай Мишин]

Hi Becca!

We use Consul as a storage backend, AppRole Auth Method, and we use a custom secrets engines based on the GCP Service Accounts.
Yes, I was try to downgrade Vault, but see error message about "failed to create mount entry" and Vault don't want to mount KV store.

понедельник, 8 апреля 2019 г., 19:22:10 UTC+3 пользователь Becca Petrin написал:

[Nikolay Mishin]

Hi  Vjacheslav !
I will try this. Thank you!

вторник, 9 апреля 2019 г., 11:20:00 UTC+3 пользователь Vasilev Vjacheslav написал: