New to KubeVault? Please start here.
KubeVault uses Stash to backup and restore Vault. Stash by AppsCode is a cloud native data backup and recovery solution for Kubernetes workloads. Stash utilizes restic to securely backup stateful applications to any cloud or on-prem storage backends (for example, S3, GCS, Azure Blob storage, Minio, NetApp, Dell EMC etc.).
The following diagram shows how Stash takes a backup of a Vault cluster. Open the image in a new tab to see the enlarged version.
The backup process consists of the following steps:
At first, a user creates a secret with access credentials of the backend where the backed up data will be stored.
Then, the user creates a Repository
crd that specifies the backend information along with the secret that holds the credentials to access the backend.
Then, the user creates a BackupConfiguration
crd targeting the AppBinding CRD of the desired Vault cluster. The BackupConfiguration
object also specifies the Task
to use to take backup of the Vault cluster.
Stash operator watches for BackupConfiguration
crd.
Once Stash operator finds a BackupConfiguration
crd, it creates a CronJob with the schedule specified in BackupConfiguration
object to trigger backup periodically.
On the next scheduled slot, the CronJob triggers a backup by creating a BackupSession
crd.
Stash operator also watches for BackupSession
crd.
When it finds a BackupSession
object, it resolves the respective Task
and Function
and prepares a Job definition to take backup.
Then, it creates the Job to take backup the targeted Vault cluster.
The backup Job reads necessary information to connect with the Vault from the AppBinding
crd. It also reads backend information and access credentials from Repository
crd and Storage Secret respectively.
Then, the Job dumps snapshot from the targeted Vault and uploads the output to the backend. Stash stores the dumped files temporarily before uploading into the backend. Hence, you should provide a PVC template using spec.interimVolumeTemplate
field of BackupConfiguration
crd to use to store those dumped files temporarily.
Finally, when the backup is completed, the Job sends Prometheus metrics to the Pushgateway running inside Stash operator pod. It also updates the BackupSession
and Repository
status to reflect the backup procedure.
The following diagram shows how Stash restores backed up data into a Vault cluster. Open the image in a new tab to see the enlarged version.
The restore process consists of the following steps:
At first, a user creates a RestoreSession
crd targeting the AppBinding
of the desired Vault where the backed up data will be restored. It also specifies the Repository
crd which holds the backend information and the Task
to use to restore the target.
Stash operator watches for RestoreSession
object.
Once it finds a RestoreSession
object, it resolves the respective Task
and Function
and prepares a Job definition to restore.
Then, it creates the Job to restore the target.
The Job reads necessary information to connect with the Vault from respective AppBinding
crd. It also reads backend information and access credentials from Repository
crd and Storage Secret respectively.
Then, the job downloads the backed up data from the backend and insert into the desired Vault. Stash stores the downloaded files temporarily before inserting into the targeted Vault. Hence, you should provide a PVC template using spec.interimVolumeTemplate
field of RestoreSession
crd to use to store those restored files temporarily.
Finally, when the restore process is completed, the Job sends Prometheus metrics to the Pushgateway and update the RestoreSession
status to reflect restore completion.