Operations¶
Updates¶
Once Vault is initialized, subsequent playbook runs are idempotent:
ansible-playbook -i inventory.yml playbook/reemo-infra.yml
The playbook will:
Detect that Vault is already initialized
Read
init.jsonAutomatically re-unseal containers if necessary
Update the rest of the infrastructure
If init.json is encrypted, add --ask-vault-pass.
Automatic unsealing¶
The playbook unseals automatically on each run: it detects sealed replicas, reads init.json (auto-decrypted if encrypted), applies the first 3 keys, and Vault becomes operational again. No manual action required.
Use after server reboot, Docker restart, container update, or any incident that sealed the replicas.
Note
For manual unsealing via the web interface (Ansible runner unavailable, isolated intervention), see the credential provider configuration.
The CredentialAPI Token¶
CredentialAPI uses a Vault token to access secrets. This token:
Is created automatically on the first playbook run
Is stored in a Docker Swarm secret (
<INSTANCE_NAME>_credentialapi_vault_token)Has a lifetime of 30 days (720h) with automatic renewal
Is governed by the
credentialapi-adminpolicy
Renewal is handled by supercronic built into the CredentialAPI container: every 6 hours, the token is renewed via auth/token/renew-self, resetting its TTL to 720h. No manual action is required.
Manual rotation (exceptional case)¶
If you need to force token regeneration (suspected compromise):
# 1. Identify the current token
TOKEN=$(docker exec $(docker ps --filter name=reemo_credentialapi. -q | head -1) cat /run/secrets/reemo_credentialapi_vault_token)
ROOT=$(jq -r .root_token playbooks/secrets/reemo/vault/init.json)
CID=$(docker ps --filter name=reemo_vault1. -q)
# 2. Retrieve the token accessor
ACCESSOR=$(docker exec -e BAO_TOKEN=$TOKEN $CID bao token lookup -format=json | jq -r .data.accessor)
# 3. Stop CredentialAPI to release the Docker secret
docker service rm reemo_credentialapi
# 4. Delete the Docker secret
docker secret rm reemo_credentialapi_vault_token
# 5. Revoke the old token in Vault
docker exec -e BAO_TOKEN=$ROOT $CID bao token revoke -accessor $ACCESSOR
# 6. Re-run the playbook: a new token will be created
ansible-playbook -i inv playbook/reemo-infra.yml