petems · September 24, 2020 14:29
diff --git a/vault-raft-snapshot.sh b/vault-raft-snapshot.sh
 # 2020-06-23 
 # this shows creating a Vault instance running integrated storage/raft, 
 # then adding a KV and taking a snapshot
 # then kill the raft DB files to simulate a storage failure
 # repeat new Vault instance, restore snapshot, unseal and auth with orig keys
 # and read some data to show how backup/restore works

 cat << EOF > ./vault_raft.hcl
 ui=true
 disable_mlock = true
 storage "raft" {
 path = "/opt/vault/"
 node_id = "raft_01"
 }
 listener "tcp" {
 address = "127.0.0.1:8200"
 tls_disable = true
 }
 cluster_addr = "http://127.0.0.1:8201"
 api_addr = "http://127.0.0.1:8200"
 EOF

 # startup integrated storage/raft vault
 $ vault server -config=vault_raft.hcl
 $ vault operator init -key-shares=1 -key-threshold=1

 # Snapshot details: 
 # Unseal Key 1: sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
 # Initial Root Token: s.f5Jv7son8PMGqBUI6R1ZqR2V

 $ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
 $ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V

 $ vault secrets enable -path=kvDemo -version=2 kv
 $ vault kv put /kvDemo/legacy_app_creds_01 username=legacyUser password=supersecret

 # Take snapshot, this should be done pointing to the active node
 # Will get a 0-byte snapshot if not, as standby nodes will not forward this request (though this might be fixed in later ver)
 $ vault operator raft snapshot save raft01.snap

 # Kill cluster, rm DB files
 $ rm -rf /opt/vault/*
 # restart Vault with same config (but empty raft data folder now)

 # New instance details, we don't need these:
 # Unseal Key 1: NxgdYN6W0mhamxMPfiNnOQipgAENU+eRwlPJHE6xR0Y=
 # Initial Root Token: s.c75QL4pb4oPa2FVnF263Wofb

 # restore snapshot
 $ vault operator raft snapshot restore -force raft01.snap

 # unseal with original cluster keys
 $ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
 $ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V

 $ vault kv get /kvDemo/legacy_app_creds_01
 ...====== Metadata ======...
 ====== Data ======
 Key         Value
 ---         -----
 password    supersecret
 username    legacyUser
	# 2020-06-23
	# this shows creating a Vault instance running integrated storage/raft,
	# then adding a KV and taking a snapshot
	# then kill the raft DB files to simulate a storage failure
	# repeat new Vault instance, restore snapshot, unseal and auth with orig keys
	# and read some data to show how backup/restore works

	cat << EOF > ./vault_raft.hcl
	ui=true
	disable_mlock = true
	storage "raft" {
	path = "/opt/vault/"
	node_id = "raft_01"
	}
	listener "tcp" {
	address = "127.0.0.1:8200"
	tls_disable = true
	}
	cluster_addr = "http://127.0.0.1:8201"
	api_addr = "http://127.0.0.1:8200"
	EOF

	# startup integrated storage/raft vault
	$ vault server -config=vault_raft.hcl
	$ vault operator init -key-shares=1 -key-threshold=1

	# Snapshot details:
	# Unseal Key 1: sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
	# Initial Root Token: s.f5Jv7son8PMGqBUI6R1ZqR2V

	$ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
	$ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V

	$ vault secrets enable -path=kvDemo -version=2 kv
	$ vault kv put /kvDemo/legacy_app_creds_01 username=legacyUser password=supersecret

	# Take snapshot, this should be done pointing to the active node
	# Will get a 0-byte snapshot if not, as standby nodes will not forward this request (though this might be fixed in later ver)
	$ vault operator raft snapshot save raft01.snap

	# Kill cluster, rm DB files
	$ rm -rf /opt/vault/*
	# restart Vault with same config (but empty raft data folder now)

	# New instance details, we don't need these:
	# Unseal Key 1: NxgdYN6W0mhamxMPfiNnOQipgAENU+eRwlPJHE6xR0Y=
	# Initial Root Token: s.c75QL4pb4oPa2FVnF263Wofb

	# restore snapshot
	$ vault operator raft snapshot restore -force raft01.snap

	# unseal with original cluster keys
	$ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
	$ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V

	$ vault kv get /kvDemo/legacy_app_creds_01
	...====== Metadata ======...
	====== Data ======
	Key Value
	--- -----
	password supersecret
	username legacyUser