Added upgrade considerations for using Vault (#933)

Updated reference in minor update doc modified: docs/install/minor-upgrade.md modified: docs/vault.md
percona · Oct 2, 2024 · b6610dc · b6610dc
1 parent a8be221
commit b6610dc
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/docs/install/minor-upgrade.md b/docs/install/minor-upgrade.md
@@ -1,6 +1,6 @@
 # Minor upgrade of Percona Server for MongoDB
 
-If you are using data-at-rest-encryption with KMIP server, check the [upgrade considerations](../kmip.md#upgrade-considerations)
+If you are using data-at-rest-encryption, check the upgrade considerations for [the KMIP server](../kmip.md#upgrade-considerations) and for the [Vault server](../vault.md#upgrade-considerations)
 
 To upgrade Percona Server for MongoDB to the latest version, follow these steps:
 

diff --git a/docs/vault.md b/docs/vault.md
@@ -48,6 +48,8 @@ security:
     secret: secret/data/hello
 ```
 
+#### Vault access policy configuration
+
 Starting with 5.0.29-25, Percona Server for MongoDB checks the number of the secrets on the Vault server before adding a new one thus [preventing the loss of the old master key](#master-key-loss-prevention). For these checks, Percona Server for MongoDB requires read permissions for the secret’s metadata and the secrets engine configuration. You configure these permissions within the access policy on the Vault server.
 
 Find the sample policy configuration below:
@@ -136,5 +138,10 @@ Starting with version 5.0.29-25, Percona Server for MongoDB checks if the number
 
 If the number of secrets reaches the maximum, Percona Server for MongoDB logs an error and exits. This prevents the Vault server from dropping the oldest secret version and the encryption key it stores.
 
-To continue, increase the maximum versions for the secret or the entire secrets engine on the Vault server, then restart Percona Server for MongoDB. To check the number of secrets on the Vault server, ensure Percona Server for MongoDB has [read permissions for the secret’s metadata and the secrets engine configuration](#config-file-example).
+To continue, increase the maximum versions for the secret or the entire secrets engine on the Vault server, then restart Percona Server for MongoDB. To check the number of secrets on the Vault server, ensure Percona Server for MongoDB has [read permissions for the secret’s metadata and the secrets engine configuration](#vault-access-policy-configuration).
+
+## Upgrade considerations
+
+After upgrading to Percona Server for MongoDB 5.0.29-25, configure the read permissions for it within the access policy on the Vault server. These permissions are required to check for the number of secrets versions to prevent the master key loss. 
 
+See [the policy configuration example](#vault-access-policy-configuration).