Skip to content

Commit

Permalink
Add changes to address code review
Browse files Browse the repository at this point in the history
  • Loading branch information
HappyTetrahedron committed Aug 26, 2024
1 parent 45b3e22 commit 89b529b
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 22 deletions.
58 changes: 37 additions & 21 deletions docs/modules/ROOT/pages/how-tos/restore-from-backup.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -20,29 +20,30 @@ include::partial$vault-warning.adoc[]

=== 1. Set up new Vault instance

* Add the `vault` application to your cluster configuration
* Initially disable backups by setting `.backups.enabled` to `false`
* Compile and push the cluster config and wait for Vault to start.
. Add the `vault` application to your cluster configuration.
.. If your old instance of vault is still running on the cluster, you can use component instantiation to create a second instance by adding `vault as new-vault` to your application list, and configuring it under `new_vault`.
. Initially disable backups by setting `.backups.enabled` to `false`
. Compile and push the cluster config and wait for Vault to start.

=== 2. Retrieve the Vault snapshot

* Set up the restic credentials (values correspond to the component parameters `backup.bucket` and `backup.password`)
. Set up the restic credentials (values correspond to the component parameters `backup.bucket` and `backup.password`)
+
[source,shell]
----
export AWS_ACCESS_KEY_ID="S3_KEY backup.bucket.accesskey"
export AWS_SECRET_ACCESS_KEY="S3_SECRET backup.bucket.secretkey"
export AWS_ACCESS_KEY_ID="S3_KEY" # from component configuration: backup.bucket.accesskey
export AWS_SECRET_ACCESS_KEY="S3_SECRET" # from component confiugration: backup.bucket.secretkey
export RESTIC_REPOSITORY="s3:https://path.to.my/bucket"
export RESTIC_PASSWORD="RESTIC_REPO_KEY backup.password"
export RESTIC_PASSWORD="RESTIC_REPO_KEY" # from component configuration: backup.password
----
* Retrieve the latest Vault snapshot to your local disk
. Retrieve the latest Vault snapshot to your local disk
+
[source,shell]
----
mkdir restore
restic restore --target restore/ latest
----
* Verify the snapshot file
. Verify the snapshot file
+
[source,shell]
----
Expand All @@ -52,21 +53,21 @@ ls restore

=== 3. Restore the snapshot

* Expose the Vault pod
. Expose the Vault pod
+
[source,shell]
----
kubectl port-forward -n $VAULT_INSTANCE_NAME ${VAULT_INSTANCE_NAME}-0 8200
----
* In a separate terminal, prepare the environment to access Vault
. In a separate terminal, prepare the environment to access Vault
+
[source,shell]
----
# Get root token to log in
export VAULT_TOKEN="$(kubectl get secret -n $VAULT_INSTANCE_NAME ${VAULT_INSTANCE_NAME}-seal -ojsonpath='{.data.vault-root}' | base64 -d)"
export VAULT_ADDR="http://127.0.0.1:8200"
----
* Restore the backup
. Restore the backup
+
[source,shell]
----
Expand All @@ -78,10 +79,10 @@ vault operator raft snapshot restore -force restore/${VAULT_INSTANCE_NAME}-backu
If you were logged into the Vault UI, you should have gotten logged out now.
This is expected.

* Open your browser at http://localhost:8200
* Use the *Vault Unseal Key* of the Vault instance you've just restored to unseal Vault
* Use the *Vault root token* of the Vault instance you've just restored to log in with the `Token` method
* Verify that the restore worked, and secrets are now restored in Vault.
. Open your browser at http://localhost:8200
. Use the *Vault Unseal Key* of the Vault instance you've just restored to unseal Vault
. Use the *Vault root token* of the Vault instance you've just restored to log in with the `Token` method
. Verify that the restore worked, and secrets are now restored in Vault.

[IMPORTANT]
====
Expand All @@ -93,7 +94,7 @@ Without them, the restore procedure cannot be completed.

NOTE: Without this step, your Vault instance will not be able to auto-unseal.

* Encode the Vault credentials
. Encode the Vault credentials
+
[source,shell]
----
Expand All @@ -103,15 +104,30 @@ export VAULT_ROOT_TOKEN="OLD_ROOT_TOKEN"
echo -n "$VAULT_UNSEAL_KEY" | base64 -w0
echo -n "$VAULT_ROOT_TOKEN" | base64 -w0
----
* Update the Vault secret
. Update the Vault secret
+
[source,shell]
----
kubectl edit secret -n ${VAULT_INSTANCE_NAME} ${VAULT_INSTANCE_NAME}-seal
----
* Update the `vault-root` and `vault-unseal-0` keys to reflect the values you have just encoded
* Save the secret
. Update the `vault-root` and `vault-unseal-0` keys to reflect the values you have just encoded
. Save the secret
. Verify that auto-unseal works:
.. Restart all vault pods simultaneously:
+
[source,shell]
----
kubectl delete pod -n $VAULT_INSTANCE_NAME ${VAULT_INSTANCE_NAME}-{0..2}
----
.. Expose the Vault UI
+
[source,shell]
----
kubectl port-forward -n $VAULT_INSTANCE_NAME ${VAULT_INSTANCE_NAME}-0 8200
----
.. Verify that http://localhost:8200[the Vault UI] does not prompt you for the unseal key


=== 6. Cleanup

* Reenable `backups.enabled` in the component configuration
. Reenable `backups.enabled` in the component configuration
2 changes: 1 addition & 1 deletion docs/modules/ROOT/partials/vault-warning.adoc
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
`component-vault` leverages k8up's application specific backups to create Vault snapshots.
Restoring such a snapshot is only possible by providing the Vault unseal key and root token.
Restoring such a snapshot is only possible by providing the Vault https://developer.hashicorp.com/vault/docs/concepts/seal[unseal key] and https://developer.hashicorp.com/vault/docs/concepts/tokens#root-tokens[root token].
As these are sensitive secrets, they are not backed up as part of the component's automated backup process.

When setting up Vault, you must store the Vault unseal key and root token in a safe location in order to be able to restore backups.
Expand Down

0 comments on commit 89b529b

Please sign in to comment.