68 lines
2.8 KiB
Bash
68 lines
2.8 KiB
Bash
#!/bin/bash
|
|
|
|
DATE=$(date +"%F:%R")
|
|
DATE_SNAPSHOT=$(date +"%Y%m%d")
|
|
LOGFILE="/data/log/scripts/vault-snapshot-restore.log"
|
|
TMP_DIR="/tmp/"
|
|
S3_ENDPOINT=""
|
|
S3_BUCKET=""
|
|
FILENAME="vault-${DATE_SNAPSHOT}.snap"
|
|
STATUS="0"
|
|
STATUSFILE="/var/tmp/batch.vault-snapshot-restore.sh"
|
|
HOST_KUBE=""
|
|
VAULT_ADDR=""
|
|
VAULT_TOKEN=""
|
|
|
|
# Set ROLE_ID and SECRET_ID
|
|
source /root/.config/vault-snapshot.conf
|
|
set -eu
|
|
|
|
function set_error_status() {
|
|
echo "[$(date '+%Y%m%d %H%M%S')] : Something went wrong in the script, exiting." | tee -a "${LOGFILE}"
|
|
echo "2 vault-snapshot-restore - KO" > ${STATUSFILE}
|
|
}
|
|
|
|
trap set_error_status ERR
|
|
|
|
#Disable TLS checking
|
|
export VAULT_SKIP_VERIFY="TRUE"
|
|
export VAULT_CLIENT_TIMEOUT=300
|
|
export VAULT_ADDR="https://127.0.0.1:8200"
|
|
|
|
# Downloading vault-snapshot from S3 bucket. Needs awscli setup properly for the user.
|
|
echo "[$(date '+%Y%m%d %H%M%S')] : Downloading vault archive ${FILENAME} from ${DATE} ###" | tee -a "${LOGFILE}"
|
|
/usr/local/bin/aws --no-progress --endpoint-url "${S3_ENDPOINT}" s3 cp s3://"${S3_BUCKET}"/"$FILENAME" /tmp/${FILENAME} | tee -a "${LOGFILE}"
|
|
|
|
# Getting a token with grants to force restore snapshot
|
|
echo "[$(date '+%Y%m%d %H%M%S')] : Vault login ###" | tee -a "${LOGFILE}"
|
|
TOKEN=$(/usr/bin/vault write -field="token" auth/approle/login role_id="${ROLEID}" secret_id="${SECRETID}")
|
|
export VAULT_TOKEN="${TOKEN}"
|
|
|
|
echo "[$(date '+%Y%m%d %H%M%S')] : Snapshot restoration ###" | tee -a "${LOGFILE}"
|
|
vault operator raft snapshot restore -force /tmp/${FILENAME}
|
|
|
|
# Wait an estimated sufficient time for the snapshot to be fully restored.
|
|
sleep 600
|
|
|
|
echo "[$(date '+%Y%m%d %H%M%S')] : On oublie l'ancien token ###" | tee -a "${LOGFILE}"
|
|
TOKEN=""
|
|
|
|
# Getting a new token since we successfully restored snapshot.
|
|
echo "[$(date '+%Y%m%d %H%M%S')] : Vault login ###" | tee -a "${LOGFILE}"
|
|
TOKEN=$(/usr/bin/vault write -field="token" auth/approle/login role_id="${ROLEID}" secret_id="${SECRETID}")
|
|
export VAULT_TOKEN="${TOKEN}"
|
|
|
|
# Get kube token to update auth method for this site's cluster.
|
|
echo "[$(date '+%Y%m%d %H%M%S')] : Recuperation token Kube ###" | tee -a "${LOGFILE}"
|
|
TOKEN_REVIEW_JWT="$(kubectl get secret vault-auth -n vault -o go-template='{{ .data.token }}' | base64 --decode)"
|
|
|
|
# Rewriting Kube API URL in auth method to match this sites cluster.
|
|
echo "[$(date '+%Y%m%d %H%M%S')] : Setting kube api url" | tee -a "${LOGFILE}"
|
|
vault write auth/production/kubernetes/config token_reviewer_jwt=$TOKEN_REVIEW_JWT kubernetes_ca_cert=@/root/.kube/cert.crt kubernetes_host="$HOST_KUBE" disable_iss_validation=true disable_local_ca_jwt=true
|
|
|
|
echo "[$(date '+%Y%m%d %H%M%S')] : Cleaning downloaded snapshot ###" | tee -a "${LOGFILE}"
|
|
rm -f /tmp/${FILENAME}
|
|
echo "0 vault-snapshot-restore - OK" > ${STATUSFILE}
|
|
echo "[$(date '+%Y%m%d %H%M%S')] : ###### FIN ######" | tee -a "${LOGFILE}"
|
|
exit ${STATUS}
|