From 40f7a183786d35e26032b300e32be521bca7e08e Mon Sep 17 00:00:00 2001 From: Aline Abler Date: Mon, 19 Aug 2024 11:25:00 +0200 Subject: [PATCH] Document how to restore from k8up backup --- .../pages/how-tos/restore-from-backup.adoc | 138 ++++++++++++++++++ .../ROOT/pages/references/parameters.adoc | 6 + docs/modules/ROOT/partials/nav.adoc | 1 + docs/modules/ROOT/partials/vault-warning.adoc | 8 + 4 files changed, 153 insertions(+) create mode 100644 docs/modules/ROOT/pages/how-tos/restore-from-backup.adoc create mode 100644 docs/modules/ROOT/partials/vault-warning.adoc diff --git a/docs/modules/ROOT/pages/how-tos/restore-from-backup.adoc b/docs/modules/ROOT/pages/how-tos/restore-from-backup.adoc new file mode 100644 index 0000000..bc4f48f --- /dev/null +++ b/docs/modules/ROOT/pages/how-tos/restore-from-backup.adoc @@ -0,0 +1,138 @@ += Restore from Backup + +When configuring component-vault with `backup.enabled = true`, the component sets up regular backups using k8up. +This how-to explains how Vault can be restored from such a backup. + +== Information on the Vault Unseal Key and Root Token + +include::partial$vault-warning.adoc[] + +== Prerequisites + +* `restic` - command line tool to access backups made by k8up +* `vault` - command line tool to interact with Vault +* `kubectl` +* Write access to the cluster's tenant repository +* Read access to the restic repository in which k8up stored the Vault backups +* The Vault instance's *unseal key* and *root token* - these must be backed up manually; they are not part of the automated k8up backup. + +== Procedure + +=== 1. Set up new Vault instance + +* Add the `vault` application to your cluster configuration +* Initially disable backups by setting `.backups.enabled` to `false` +* Compile and push the cluster config and wait for Vault to start. + +=== 2. Set up permissions for restoring the Vault instance + +* Access the Vault UI ++ +[source,shell] +---- +export VAULT_INSTANCE_NAME="my-vault-instance" +# Get root token to log in +kubectl get secret -n $VAULT_INSTANCE_NAME ${VAULT_INSTANCE_NAME}-seal -ojsonpath='{.data.vault-root}' | base64 -d +kubectl port-forward -n $VAULT_INSTANCE_NAME ${VAULT_INSTANCE_NAME}-0 8200 +---- +* Open your browser at http://localhost:8200 and log in with the `Token` method and the root token retreived in the previous step +* Navigate to `Policies` and open the `backup` policy +* Edit the policy to the following: ++ +[source,hcl] +---- +path "sys/storage/raft/snapshot-force" { + capabilities = ["read", "create", "update", "sudo"] +} +---- +* Save the new policy + +NOTE: Editing this policy is unproblematic, as it will be reset once the backup is restored. + +=== 3. Retrieve the Vault snapshot + +* Set up the restic credentials (values correspond to the component parameters `backup.bucket` and `backup.password`) ++ +[source,shell] +---- +export AWS_ACCESS_KEY_ID="S3_KEY backup.bucket.accesskey" +export AWS_SECRET_ACCESS_KEY="S3_SECRET backup.bucket.secretkey" +export RESTIC_REPOSITORY="s3:https://path.to.my/bucket" +export RESTIC_PASSWORD="RESTIC_REPO_KEY backup.password" +---- +* Retrieve the latest Vault snapshot to your local disk ++ +[source,shell] +---- +mkdir restore +restic restore --target restore/ latest +---- +* Verify the snapshot file ++ +[source,shell] +---- +ls restore +# This should show a file named "[instance name]-backup.snapshot" +---- + +=== 4. Restore the snapshot + +* Expose the Vault pod ++ +[source,shell] +---- +kubectl port-forward -n $VAULT_INSTANCE_NAME ${VAULT_INSTANCE_NAME}-0 8200 +---- +* In a separate terminal, prepare the environment to access Vault ++ +[source,shell] +---- +# Get root token to log in +export VAULT_TOKEN="$(kubectl get secret -n $VAULT_INSTANCE_NAME ${VAULT_INSTANCE_NAME}-seal -ojsonpath='{.data.vault-root}' | base64 -d)" +export VAULT_ADDR="http://127.0.0.1:8200" +---- +* Restore the backup ++ +[source,shell] +---- +vault operator raft snapshot restore -force restore/${VAULT_INSTANCE_NAME}-backup.snapshot +---- + +=== 5. Unseal Vault + +If you were logged into the Vault UI, you should have gotten logged out now. +This is expected. + +* Open your browser at http://localhost:8200 +* Use the *Vault Unseal Key* of the Vault instance you've just restored to unseal Vault +* Use the *Vault root token* of the Vault instance you've just restored to log in with the `Token` method +* Verify that the restore worked, and secrets are now restored in Vault. + +[IMPORTANT] +==== +The unseal key and root token of the Vault instance you're restoring need to have been stored separately. +Without them, the restore procedure cannot be completed. +==== + +=== 6. Update the Vault Secret + +NOTE: Without this step, your Vault instance will not be able to auto-unseal. + +* Encode the Vault credentials ++ +[source,shell] +---- +export VAULT_UNSEAL_KEY="OLD_UNSEAL_KEY" +export VAULT_ROOT_TOKEN="OLD_ROOT_TOKEN" + +echo -n "$VAULT_UNSEAL_KEY" | base64 -w0 +echo -n "$VAULT_ROOT_TOKEN" | base64 -w0 +---- +* Update the Vault secret ++ +[source,shell] +---- +kubectl edit secret -n ${VAULT_INSTANCE_NAME} ${VAULT_INSTANCE_NAME}-seal +---- +* Update the `vault-root` and `vault-unseal-0` keys to reflect the values you have just encoded +* Save the secret diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index f1d3dc8..54b5b6d 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -252,6 +252,12 @@ default:: `true` Whether to do backups using k8up. +[WARNING] +.Manual Setup Required +==== +include::partial$vault-warning.adoc[] +==== + == `backup.schedule` [horizontal] diff --git a/docs/modules/ROOT/partials/nav.adoc b/docs/modules/ROOT/partials/nav.adoc index 62bae9d..471a668 100644 --- a/docs/modules/ROOT/partials/nav.adoc +++ b/docs/modules/ROOT/partials/nav.adoc @@ -1,4 +1,5 @@ * xref:index.adoc[Home] * xref:tutorials/install.adoc[Installation] * xref:how-tos/lieutenant.adoc[Lieutenant Integration] +* xref:how-tos/restore-from-backup.adoc[Restore Vault from Backup] * xref:references/parameters.adoc[Parameters] diff --git a/docs/modules/ROOT/partials/vault-warning.adoc b/docs/modules/ROOT/partials/vault-warning.adoc new file mode 100644 index 0000000..1e2e18f --- /dev/null +++ b/docs/modules/ROOT/partials/vault-warning.adoc @@ -0,0 +1,8 @@ +`component-vault` leverages k8up's application specific backups to create Vault snapshots. +Restoring such a snapshot is only possible by providing the Vault unseal key and root token. +As these are sensitive secrets, they are not backed up as part of the component's automated backup process. + +When setting up Vault, you must store the Vault unseal key and root token in a safe location in order to be able to restore backups. + +In a running Vault instance, both of these secrets can be found in the `[instance name]-seal` secret in the Vault instance's namespace. +In order to have a reliable Vault backup, this secret must be backed up separately to a safe location.