Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: adding vault-backup-updater logic #20

Merged
merged 3 commits into from
Dec 10, 2023
Merged

feat: adding vault-backup-updater logic #20

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
52e0046
feat: adding vault-backup-updater logic
venkatamutyala Dec 10, 2023
2952e6e
Update vault-backup.sh
venkatamutyala Dec 10, 2023
11b4481
Update vault-backup.sh
venkatamutyala Dec 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 27 additions & 5 deletions vault-backup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,32 @@ SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token);
export VAULT_LOG_LEVEL=debug
export VAULT_SKIP_VERIFY=true
export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login jwt=$SA_TOKEN role=vault-backup-role);

mkdir -p /app/${date}
vault operator raft snapshot save /app/vault_${date}.snap;

aws s3 cp /app/vault_$(date '+%Y-%m-%d').snap s3://${S3_BUCKET_NAME}/${CAPTAIN_DOMAIN}/hashicorp-vault-backups/$(date '+%Y-%m-%d')/vault_$(date +"%Y%m%d_%H%M%S").snap;

echo "Finished Vault backup."
datetime=$(date +"%Y%m%d_%H%M%S")
echo "Sleeping for 10 seconds in case any debugging needs to be done"
sleep 10;
s3_destination=${S3_BUCKET_NAME}/${CAPTAIN_DOMAIN}/hashicorp-vault-backups/${date}/vault_${datetime}.snap
aws s3 cp /app/vault_${date}.snap s3://${s3_destination}
unset VAULT_TOKEN
echo "Uploaded backup to s3. BUT we still need to validate the backup!!"
echo "Assuming vault-reader-role in vault"
export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login jwt=$SA_TOKEN role=reader-role);
echo "Reading first secret available in current vault environment. if it was updated since the backup was taken then this backup may fail!"
FIRST_SECRET=$(vault list -format=json secret/metadata/ | jq -r '.[0]')
echo "Reading the data/values within the first secret"
VAULT_OUTPUT=$(vault read -format=json "secret/data/$FIRST_SECRET")
KEY_VALUES=$(echo $VAULT_OUTPUT | jq '.data.data')
echo "Getting s3 presigned url for vault backup"
BACKUP_S3_PRESIGNED_URL=$(aws s3 presign s3://${s3_destination} --expires-in 300)
echo "Getting s3 presigned url for vault access tokens"
TOKENS_S3_PRESIGNED_URL=$(aws s3 presign s3://${S3_BUCKET_NAME}/${CAPTAIN_DOMAIN}/hashicorp-vault-init/vault_access.json --expires-in 300)
BASE_JSON='{
"source_backup_url": "'"$BACKUP_S3_PRESIGNED_URL"'",
"source_keys_url": "'"$TOKENS_S3_PRESIGNED_URL"'",
"path_values_map":{},
"vault_version": "1.14.6"
}'
UPDATED_JSON=$(echo $BASE_JSON | jq --arg path "secret/$FIRST_SECRET" --argjson kv "$KEY_VALUES" '.path_values_map[$path] = $kv')
echo "Validating Backup now....."
curl glueops-backup-and-exports.glueops-core-backup.svc.cluster.local:8080/api/v1/validate --fail-with-body -X POST -d "${UPDATED_JSON}"