Overview
This article will detail how to change the hostname on a leader or follower Vault node operating in a Raft cluster. The details are specifically for changing the leader, but can be repurposed for any node in the cluster. Leadership election in this case is done automatically using the Raft Consensus Protocol. The third host requires no actions in this scenario, so is not referenced.
Prerequisites
- A working Vault cluster with a Raft storage backend.
Procedure
-
Stop the Vault service on the leader node. The remaining followers will automatically elect a new Raft leader.
-
Change the hostname on the original leader node by updating the Vault configuration file:
-
Change the Raft config
node_id. -
If the
api_addr&cluster_addrvalues use domain names, update these accordingly.
-
-
Delete the old Raft storage on the same original leader node.
-
From the original follower node that has since been elected as leader, remove the original leader node ID with
vault operator raft remove-peer <old domain name>. -
Start the Vault service on the original leader node. Raft will automatically recreate a new database.
-
On the updated follower node, rejoin the Raft cluster using the
vault operator raft join https://<secondary hostname>:8200command. -
Verify that the updated follower node has rejoined the cluster with the new hostname and node ID with
vault operator raft list-peerson both the leader and follower nodes. -
Wait for the Raft database to replicate on your updated follower node. You can verify that this has been done by running the
vault statuscommand and verifying the Raft Committed and Applied Indexes between nodes. Also, by logging in with a token/method from the cluster and running avault secrets listto make sure the displayed data matches that on the current leader. These steps ensure that both the token has replicated and that the secrets are up-to-date with the leader node. -
Repeat the process as necessary across nodes within the cluster.