From 52e00461f30b193021b0b062e6d268d3da03904c Mon Sep 17 00:00:00 2001 From: Venkata Mutyala Date: Sat, 9 Dec 2023 19:42:37 -0800 Subject: [PATCH 1/3] feat: adding vault-backup-updater logic --- vault-backup.sh | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/vault-backup.sh b/vault-backup.sh index 5f3ac1a..dd879e8 100755 --- a/vault-backup.sh +++ b/vault-backup.sh @@ -9,10 +9,30 @@ SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token); export VAULT_LOG_LEVEL=debug export VAULT_SKIP_VERIFY=true export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login jwt=$SA_TOKEN role=vault-backup-role); - mkdir -p /app/${date} vault operator raft snapshot save /app/vault_${date}.snap; - -aws s3 cp /app/vault_$(date '+%Y-%m-%d').snap s3://${S3_BUCKET_NAME}/${CAPTAIN_DOMAIN}/hashicorp-vault-backups/$(date '+%Y-%m-%d')/vault_$(date +"%Y%m%d_%H%M%S").snap; - -echo "Finished Vault backup." +datetime=$(date +"%Y%m%d_%H%M%S") +s3_destination=${S3_BUCKET_NAME}/${CAPTAIN_DOMAIN}/hashicorp-vault-backups/${date}/vault_${datetime}.snap +aws s3 cp /app/vault_${date}.snap s3://${s3_destination} +unset VAULT_TOKEN +echo "Uploaded backup to s3. BUT we still need to validate the backup!!" +echo "Assuming vault-reader-role in vault" +export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login jwt=$SA_TOKEN role=reader-role); +echo "Reading first secret available in current vault environment. if it was updated since the backup was taken then this backup may fail!" +FIRST_SECRET=$(vault list -format=json secret/metadata/ | jq -r '.[0]') +echo "Reading the data/values within the first secret" +VAULT_OUTPUT=$(vault read -format=json "secret/data/$FIRST_SECRET") +KEY_VALUES=$(echo $VAULT_OUTPUT | jq '.data.data') +echo "Getting s3 presigned url for vault backup" +BACKUP_S3_PRESIGNED_URL=$(aws s3 presign s3://${s3_destination} --expires-in 300) +echo "Getting s3 presigned url for vault access tokens" +TOKENS_S3_PRESIGNED_URL=$(aws s3 presign s3://${S3_BUCKET_NAME}/${CAPTAIN_DOMAIN}/hashicorp-vault-init/vault_access.json --expires-in 300) +BASE_JSON='{ + "source_backup_url": "'"$BACKUP_S3_PRESIGNED_URL"'", + "source_keys_url": "'"$TOKENS_S3_PRESIGNED_URL"'", + "path_values_map":{}, + "vault_version": "1.14.6" +}' +UPDATED_JSON=$(echo $BASE_JSON | jq --arg path "secret/$FIRST_SECRET" --argjson kv "$KEY_VALUES" '.path_values_map[$path] = $kv') +echo "Validating Backup now....." +curl glueops-backup-and-exports.glueops-core-backup.svc.cluster.local:8080/api/v1/validate -X POST -d "${UPDATED_JSON}" From 2952e6eebef9c7bdd71ddd50d9c159bf08609a9d Mon Sep 17 00:00:00 2001 From: Venkata Mutyala Date: Sat, 9 Dec 2023 19:54:57 -0800 Subject: [PATCH 2/3] Update vault-backup.sh --- vault-backup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault-backup.sh b/vault-backup.sh index dd879e8..c9cb082 100755 --- a/vault-backup.sh +++ b/vault-backup.sh @@ -35,4 +35,4 @@ BASE_JSON='{ }' UPDATED_JSON=$(echo $BASE_JSON | jq --arg path "secret/$FIRST_SECRET" --argjson kv "$KEY_VALUES" '.path_values_map[$path] = $kv') echo "Validating Backup now....." -curl glueops-backup-and-exports.glueops-core-backup.svc.cluster.local:8080/api/v1/validate -X POST -d "${UPDATED_JSON}" +curl glueops-backup-and-exports.glueops-core-backup.svc.cluster.local:8080/api/v1/validate --fail-with-body -X POST -d "${UPDATED_JSON}" From 11b4481250742e16109ba9e8d073be8766d916db Mon Sep 17 00:00:00 2001 From: Venkata Mutyala Date: Sat, 9 Dec 2023 20:01:57 -0800 Subject: [PATCH 3/3] Update vault-backup.sh --- vault-backup.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vault-backup.sh b/vault-backup.sh index c9cb082..9ccbc66 100755 --- a/vault-backup.sh +++ b/vault-backup.sh @@ -12,6 +12,8 @@ export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login jwt=$SA_TOKE mkdir -p /app/${date} vault operator raft snapshot save /app/vault_${date}.snap; datetime=$(date +"%Y%m%d_%H%M%S") +echo "Sleeping for 10 seconds in case any debugging needs to be done" +sleep 10; s3_destination=${S3_BUCKET_NAME}/${CAPTAIN_DOMAIN}/hashicorp-vault-backups/${date}/vault_${datetime}.snap aws s3 cp /app/vault_${date}.snap s3://${s3_destination} unset VAULT_TOKEN