init vault documentation

vault/Post-install.md

@@ -0,0 +1,10 @@
+## Default Token Duration
+
+- Issue : when you snapshot the raft storage, tokens are integrated in the snapshot, and snapshots size grows (a lot) over time.
+- Cause : By default, auth methods uses the default token TTL (30d) for all tokens created.
+- Resolve : Adjust the default TTL for tokens for each auth method according to the use. Ex : 1h if using oneshot tokens.
+
+## DIY Vault georeplication with 1 day delay
+
+- Issue : Only paid vault offers realtime georeplication between clusters.
+- Resolve : Build a cluster for the main infrastructure, then create another single VM or 3-members cluster and run a script that will download and import the snapshot every day.

vault/vault-snapshot-restore.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+DATE=$(date +"%F:%R")
+DATE_SNAPSHOT=$(date +"%Y%m%d")
+LOGFILE="/data/log/scripts/vault-snapshot-restore.log"
+TMP_DIR="/tmp/"
+S3_ENDPOINT=""
+S3_BUCKET=""
+FILENAME="vault-${DATE_SNAPSHOT}.snap"
+STATUS="0"
+STATUSFILE="/var/tmp/batch.vault-snapshot-restore.sh"
+HOST_KUBE=""
+VAULT_ADDR=""
+VAULT_TOKEN=""
+
+# Set ROLE_ID and SECRET_ID
+source /root/.config/vault-snapshot.conf
+set -eu
+
+function set_error_status() {
+    echo "[$(date '+%Y%m%d %H%M%S')] : Something went wrong in the script, exiting." | tee -a "${LOGFILE}"
+    echo "2 vault-snapshot-restore - KO" > ${STATUSFILE}
+}
+
+trap set_error_status ERR
+
+#Disable TLS checking
+export VAULT_SKIP_VERIFY="TRUE"
+export VAULT_CLIENT_TIMEOUT=300
+export VAULT_ADDR="https://127.0.0.1:8200"
+
+# Downloading vault-snapshot from S3 bucket. Needs awscli setup properly for the user.
+echo "[$(date '+%Y%m%d %H%M%S')] : Downloading vault archive ${FILENAME} from ${DATE} ###" | tee -a "${LOGFILE}"
+/usr/local/bin/aws --no-progress --endpoint-url "${S3_ENDPOINT}" s3 cp s3://"${S3_BUCKET}"/"$FILENAME" /tmp/${FILENAME} | tee -a "${LOGFILE}"
+
+# Getting a token with grants to force restore snapshot
+echo "[$(date '+%Y%m%d %H%M%S')] : Vault login ###" | tee -a "${LOGFILE}"
+TOKEN=$(/usr/bin/vault write -field="token" auth/approle/login role_id="${ROLEID}" secret_id="${SECRETID}")
+export VAULT_TOKEN="${TOKEN}"
+
+echo "[$(date '+%Y%m%d %H%M%S')] : Snapshot restoration ###" | tee -a "${LOGFILE}"
+vault operator raft snapshot restore -force /tmp/${FILENAME}
+
+# Wait an estimated sufficient time for the snapshot to be fully restored.
+sleep 600
+
+echo "[$(date '+%Y%m%d %H%M%S')] : On oublie l'ancien token ###" | tee -a "${LOGFILE}"
+TOKEN=""
+
+# Getting a new token since we successfully restored snapshot.
+echo "[$(date '+%Y%m%d %H%M%S')] : Vault login ###" | tee -a "${LOGFILE}"
+TOKEN=$(/usr/bin/vault write -field="token" auth/approle/login role_id="${ROLEID}" secret_id="${SECRETID}")
+export VAULT_TOKEN="${TOKEN}"
+
+# Get kube token to update auth method for this site's cluster.
+echo "[$(date '+%Y%m%d %H%M%S')] : Recuperation token Kube ###" | tee -a "${LOGFILE}"
+TOKEN_REVIEW_JWT="$(kubectl get secret vault-auth -n vault -o go-template='{{ .data.token }}' | base64 --decode)"
+
+# Rewriting Kube API URL in auth method to match this sites cluster.
+echo "[$(date '+%Y%m%d %H%M%S')] : Setting kube api url" | tee -a "${LOGFILE}"
+vault write auth/production/kubernetes/config token_reviewer_jwt=$TOKEN_REVIEW_JWT kubernetes_ca_cert=@/root/.kube/infolegale.net.crt kubernetes_host="$HOST_KUBE" disable_iss_validation=true disable_local_ca_jwt=true
+
+echo "[$(date '+%Y%m%d %H%M%S')] : Cleaning downloaded snapshot ###" | tee -a "${LOGFILE}"
+rm -f /tmp/${FILENAME}
+echo "0 vault-snapshot-restore - OK" > ${STATUSFILE}
+echo "[$(date '+%Y%m%d %H%M%S')] : ###### FIN ######" | tee -a "${LOGFILE}"
+exit ${STATUS}

vault/vault-snapshot.conf

@@ -0,0 +1,3 @@
+ROLEID=""
+SECRETID=""
+VAULT_CLIENT_TIMEOUT="300"