Fork: 0
jesse.austin / openstack-caracal-ipv4
Transfer to URL with SHA Find file
Newer
Older
openstack-caracal-ipv4 / runbooks / 03-vault-init.md
@JANeumatrix JANeumatrix 1 day ago 826 bytes Initial Upload
Raw Blame History

Runbook 03 — Vault Initialization

STATUS: PLACEHOLDER — drafted during deploy phase.

Purpose

Initialize the Vault instance(s), unseal, authorize, and let certificate relations resolve so dependent charms reach active/idle.

Prerequisites

  • Bundle deployed; Vault charm in blocked waiting for init
  • etcd cluster in active/idle (Vault HA backend per D-006)
  • easyrsa active (TLS bootstrap)

TODO

  • juju run vault/leader generate-root-ca — capture root CA cert
  • vault operator init -key-shares=5 -key-threshold=3 — capture keys
  • Unseal with 3 of 5 keys
  • juju run vault/leader authorize-charm token=<root-token>
  • Verify all :certificates relations complete (no charms stuck 
    waiting on certs)
  • Store unseal keys in ~/.vault-keys/ (chmod 600); back up