Created
September 24, 2020 14:29
-
-
Save petems/94705a92fc717dfdd0dce26d8a04e74d to your computer and use it in GitHub Desktop.
vault-raft-snapshot.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 2020-06-23 | |
# this shows creating a Vault instance running integrated storage/raft, | |
# then adding a KV and taking a snapshot | |
# then kill the raft DB files to simulate a storage failure | |
# repeat new Vault instance, restore snapshot, unseal and auth with orig keys | |
# and read some data to show how backup/restore works | |
cat << EOF > ./vault_raft.hcl | |
ui=true | |
disable_mlock = true | |
storage "raft" { | |
path = "/opt/vault/" | |
node_id = "raft_01" | |
} | |
listener "tcp" { | |
address = "127.0.0.1:8200" | |
tls_disable = true | |
} | |
cluster_addr = "http://127.0.0.1:8201" | |
api_addr = "http://127.0.0.1:8200" | |
EOF | |
# startup integrated storage/raft vault | |
$ vault server -config=vault_raft.hcl | |
$ vault operator init -key-shares=1 -key-threshold=1 | |
# Snapshot details: | |
# Unseal Key 1: sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc= | |
# Initial Root Token: s.f5Jv7son8PMGqBUI6R1ZqR2V | |
$ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc= | |
$ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V | |
$ vault secrets enable -path=kvDemo -version=2 kv | |
$ vault kv put /kvDemo/legacy_app_creds_01 username=legacyUser password=supersecret | |
# Take snapshot, this should be done pointing to the active node | |
# Will get a 0-byte snapshot if not, as standby nodes will not forward this request (though this might be fixed in later ver) | |
$ vault operator raft snapshot save raft01.snap | |
# Kill cluster, rm DB files | |
$ rm -rf /opt/vault/* | |
# restart Vault with same config (but empty raft data folder now) | |
# New instance details, we don't need these: | |
# Unseal Key 1: NxgdYN6W0mhamxMPfiNnOQipgAENU+eRwlPJHE6xR0Y= | |
# Initial Root Token: s.c75QL4pb4oPa2FVnF263Wofb | |
# restore snapshot | |
$ vault operator raft snapshot restore -force raft01.snap | |
# unseal with original cluster keys | |
$ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc= | |
$ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V | |
$ vault kv get /kvDemo/legacy_app_creds_01 | |
...====== Metadata ======... | |
====== Data ====== | |
Key Value | |
--- ----- | |
password supersecret | |
username legacyUser |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment