Vault Backup Restore Overview
Vault
provides a set of standard operating procedures (SOP)
for backing up a Vault cluster. It protects your Vault cluster
against data corruption or sabotage of which Disaster Recovery Replication might not be able to protect against.
KubeVault
supports number of different Storage Backend types. Therefore, the exact steps to backup Vault will depend on your
selected storage backend. The two recommended storage backend types are Consul and Integrated Storage
(also known as Raft).
KubeVault
currently supports Backup & Restore for Raft
storage backend. So, this document assumes that Raft
storage backend is being used.
Backup & Restore process for Raft
Your VaultServer
must be in Ready
state for Backup & Restore process to work. This will take the snapshot
using a consistent mode that forwards the request to the cluster leader, and the leader will verify it is still
in power before taking the snapshot.
A simple VaultServer
YAML with Raft
storage backend may look like this:
apiVersion: kubevault.com/v1alpha2
kind: VaultServer
metadata:
name: vault
namespace: demo
spec:
version: 1.10.3
replicas: 3
allowedSecretEngines:
namespaces:
from: All
backend:
raft:
storage:
storageClassName: "standard"
resources:
requests:
storage: 1Gi
unsealer:
secretShares: 5
secretThreshold: 3
mode:
kubernetesSecret:
secretName: vault-keys
terminationPolicy: WipeOut
Let’s take a look at some relevant fields:
spec.backend
contains the Backend storage information, Raft
in this case:
backend:
raft:
storage:
resources:
requests:
storage: 1Gi
storageClassName: standard
spec.unsealer
contains VaultServer
unsealing option. In this case which is Kubernetes
Secret. So, on Vault deployment
a Secret will be created on the same namespace, which will create the Vault unseal-keys & root-token.
unsealer:
secretShares: 5
secretThreshold: 3
mode:
kubernetesSecret:
secretName: vault-keys
KubeVault
operator will create an AppBinding
with all the necessary information for backup & restore.
AppBinding
has the information about the Unsealer option of the VaultServer
. During the Backup,
Vault unseal-keys
& root-token
will also be backed-up for the completeness of the Backup process.
KubeVault
created AppBinding
YAML may look like this:
apiVersion: appcatalog.appscode.com/v1alpha1
kind: AppBinding
metadata:
name: vault
namespace: demo
spec:
appRef:
apiGroup: kubevault.com
kind: VaultServer
name: vault
namespace: demo
clientConfig:
service:
name: vault
port: 8200
scheme: http
parameters:
apiVersion: config.kubevault.com/v1alpha1
backend: raft
backupTokenSecretRef:
name: vault-backup-token
kind: VaultServerConfiguration
kubernetes:
serviceAccountName: vault
tokenReviewerServiceAccountName: vault-k8s-token-reviewer
usePodServiceAccountForCSIDriver: true
path: kubernetes
stash:
addon:
backupTask:
name: vault-backup-1.10.3
params:
- name: keyPrefix
value: k8s.kubevault.com.demo.vault
restoreTask:
name: vault-restore-1.10.3
params:
- name: keyPrefix
value: k8s.kubevault.com.demo.vault
unsealer:
mode:
kubernetesSecret:
secretName: vault-keys
secretShares: 5
secretThreshold: 3
vaultRole: vault-policy-controller
Read more about AppBinding
here.
Here:
spec.parameters.stash
section contains the stash parameters for Backup & Restore tasks.spec.parameters.stash.addon
contains the information about theTask
for backup & restore. It also contains theparams
which indicates thekeyPrefix
that is prepended with the name of vaultunseal-keys
&root-token
, e.g.k8s.kubevault.com.demo.vault-root-token
,k8s.kubevault.com.demo.vault-root-token-unseal-key-0
,k8s.kubevault.com.demo.vault-root-token-unseal-key-1
, etc.
stash:
addon:
backupTask:
name: vault-backup-1.10.3
params:
- name: keyPrefix
value: k8s.kubevault.com.demo.vault
restoreTask:
name: vault-restore-1.10.3
params:
- name: keyPrefix
value: k8s.kubevault.com.demo.vault
KubeVault
operator will create a K8s Secret
containing a token
during the Vault deployment, which contains the necessary permission
for the Backup & Restore process. This information is available in the AppBinding
created by the operator. AppBinding
spec.parameters.backupTokenSecretRef
contains the reference of that secret.
spec:
parameters:
backupTokenSecretRef:
name: vault-backup-token
A sample policy document / permission may look like this:
path "sys/storage/raft/snapshot" {
capabilities = ["read"]
}
path "sys/storage/raft/snapshot-force" {
capabilities = ["read"]
}
If your Vault
deployment isn’t managed by KubeVault
, then you’ll need to create the AppBinding
& Secret
containing
the permissions required for backup & restore separately.
Up next: