Operations

Updates

Once Vault is initialized, subsequent playbook runs are idempotent:

ansible-playbook -i inventory.yml playbook/reemo-infra.yml

The playbook will:

  • Detect that Vault is already initialized

  • Read init.json

  • Automatically re-unseal containers if necessary

  • Update the rest of the infrastructure

If init.json is encrypted, add --ask-vault-pass.

Automatic unsealing

The playbook unseals automatically on each run: it detects sealed replicas, reads init.json (auto-decrypted if encrypted), applies the first 3 keys, and Vault becomes operational again. No manual action required.

Use after server reboot, Docker restart, container update, or any incident that sealed the replicas.

Note

For manual unsealing via the web interface (Ansible runner unavailable, isolated intervention), see the credential provider configuration.

The CredentialAPI Token

CredentialAPI uses a Vault token to access secrets. This token:

  • Is created automatically on the first playbook run

  • Is stored in a Docker Swarm secret (<INSTANCE_NAME>_credentialapi_vault_token)

  • Has a lifetime of 30 days (720h) with automatic renewal

  • Is governed by the credentialapi-admin policy

Renewal is handled by supercronic built into the CredentialAPI container: every 6 hours, the token is renewed via auth/token/renew-self, resetting its TTL to 720h. No manual action is required.

Manual rotation (exceptional case)

If you need to force token regeneration (suspected compromise):

# 1. Identify the current token
TOKEN=$(docker exec $(docker ps --filter name=reemo_credentialapi. -q | head -1) cat /run/secrets/reemo_credentialapi_vault_token)
ROOT=$(jq -r .root_token playbooks/secrets/reemo/vault/init.json)
CID=$(docker ps --filter name=reemo_vault1. -q)

# 2. Retrieve the token accessor
ACCESSOR=$(docker exec -e BAO_TOKEN=$TOKEN $CID bao token lookup -format=json | jq -r .data.accessor)

# 3. Stop CredentialAPI to release the Docker secret
docker service rm reemo_credentialapi

# 4. Delete the Docker secret
docker secret rm reemo_credentialapi_vault_token

# 5. Revoke the old token in Vault
docker exec -e BAO_TOKEN=$ROOT $CID bao token revoke -accessor $ACCESSOR

# 6. Re-run the playbook: a new token will be created
ansible-playbook -i inv playbook/reemo-infra.yml