From d04e919cd5342b4621d08018d5b36943e435ce16 Mon Sep 17 00:00:00 2001 From: kirby Date: Tue, 20 May 2025 17:55:01 +0200 Subject: [PATCH] init vault documentation --- vault/Post-install.md | 10 +++++ vault/vault-snapshot-restore.sh | 67 +++++++++++++++++++++++++++++++++ vault/vault-snapshot.conf | 3 ++ 3 files changed, 80 insertions(+) create mode 100644 vault/Post-install.md create mode 100644 vault/vault-snapshot-restore.sh create mode 100644 vault/vault-snapshot.conf diff --git a/vault/Post-install.md b/vault/Post-install.md new file mode 100644 index 0000000..b87d486 --- /dev/null +++ b/vault/Post-install.md @@ -0,0 +1,10 @@ +## Default Token Duration + +- Issue : when you snapshot the raft storage, tokens are integrated in the snapshot, and snapshots size grows (a lot) over time. +- Cause : By default, auth methods uses the default token TTL (30d) for all tokens created. +- Resolve : Adjust the default TTL for tokens for each auth method according to the use. Ex : 1h if using oneshot tokens. + +## DIY Vault georeplication with 1 day delay + +- Issue : Only paid vault offers realtime georeplication between clusters. +- Resolve : Build a cluster for the main infrastructure, then create another single VM or 3-members cluster and run a script that will download and import the snapshot every day. diff --git a/vault/vault-snapshot-restore.sh b/vault/vault-snapshot-restore.sh new file mode 100644 index 0000000..f9ffa22 --- /dev/null +++ b/vault/vault-snapshot-restore.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +DATE=$(date +"%F:%R") +DATE_SNAPSHOT=$(date +"%Y%m%d") +LOGFILE="/data/log/scripts/vault-snapshot-restore.log" +TMP_DIR="/tmp/" +S3_ENDPOINT="" +S3_BUCKET="" +FILENAME="vault-${DATE_SNAPSHOT}.snap" +STATUS="0" +STATUSFILE="/var/tmp/batch.vault-snapshot-restore.sh" +HOST_KUBE="" +VAULT_ADDR="" +VAULT_TOKEN="" + +# Set ROLE_ID and SECRET_ID +source /root/.config/vault-snapshot.conf +set -eu + +function set_error_status() { + echo "[$(date '+%Y%m%d %H%M%S')] : Something went wrong in the script, exiting." | tee -a "${LOGFILE}" + echo "2 vault-snapshot-restore - KO" > ${STATUSFILE} +} + +trap set_error_status ERR + +#Disable TLS checking +export VAULT_SKIP_VERIFY="TRUE" +export VAULT_CLIENT_TIMEOUT=300 +export VAULT_ADDR="https://127.0.0.1:8200" + +# Downloading vault-snapshot from S3 bucket. Needs awscli setup properly for the user. +echo "[$(date '+%Y%m%d %H%M%S')] : Downloading vault archive ${FILENAME} from ${DATE} ###" | tee -a "${LOGFILE}" +/usr/local/bin/aws --no-progress --endpoint-url "${S3_ENDPOINT}" s3 cp s3://"${S3_BUCKET}"/"$FILENAME" /tmp/${FILENAME} | tee -a "${LOGFILE}" + +# Getting a token with grants to force restore snapshot +echo "[$(date '+%Y%m%d %H%M%S')] : Vault login ###" | tee -a "${LOGFILE}" +TOKEN=$(/usr/bin/vault write -field="token" auth/approle/login role_id="${ROLEID}" secret_id="${SECRETID}") +export VAULT_TOKEN="${TOKEN}" + +echo "[$(date '+%Y%m%d %H%M%S')] : Snapshot restoration ###" | tee -a "${LOGFILE}" +vault operator raft snapshot restore -force /tmp/${FILENAME} + +# Wait an estimated sufficient time for the snapshot to be fully restored. +sleep 600 + +echo "[$(date '+%Y%m%d %H%M%S')] : On oublie l'ancien token ###" | tee -a "${LOGFILE}" +TOKEN="" + +# Getting a new token since we successfully restored snapshot. +echo "[$(date '+%Y%m%d %H%M%S')] : Vault login ###" | tee -a "${LOGFILE}" +TOKEN=$(/usr/bin/vault write -field="token" auth/approle/login role_id="${ROLEID}" secret_id="${SECRETID}") +export VAULT_TOKEN="${TOKEN}" + +# Get kube token to update auth method for this site's cluster. +echo "[$(date '+%Y%m%d %H%M%S')] : Recuperation token Kube ###" | tee -a "${LOGFILE}" +TOKEN_REVIEW_JWT="$(kubectl get secret vault-auth -n vault -o go-template='{{ .data.token }}' | base64 --decode)" + +# Rewriting Kube API URL in auth method to match this sites cluster. +echo "[$(date '+%Y%m%d %H%M%S')] : Setting kube api url" | tee -a "${LOGFILE}" +vault write auth/production/kubernetes/config token_reviewer_jwt=$TOKEN_REVIEW_JWT kubernetes_ca_cert=@/root/.kube/infolegale.net.crt kubernetes_host="$HOST_KUBE" disable_iss_validation=true disable_local_ca_jwt=true + +echo "[$(date '+%Y%m%d %H%M%S')] : Cleaning downloaded snapshot ###" | tee -a "${LOGFILE}" +rm -f /tmp/${FILENAME} +echo "0 vault-snapshot-restore - OK" > ${STATUSFILE} +echo "[$(date '+%Y%m%d %H%M%S')] : ###### FIN ######" | tee -a "${LOGFILE}" +exit ${STATUS} diff --git a/vault/vault-snapshot.conf b/vault/vault-snapshot.conf new file mode 100644 index 0000000..ab28151 --- /dev/null +++ b/vault/vault-snapshot.conf @@ -0,0 +1,3 @@ +ROLEID="" +SECRETID="" +VAULT_CLIENT_TIMEOUT="300"