I’ve follow the guide: Vault data backup standard procedure | Vault | HashiCorp Developer but it need to be manually. Hence I’ve moved to create a cronjob by myself.
I’ve added a cronjob to K8s which look like this:
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-backup-user
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: vault-snapshot-cronjob
spec:
schedule: "@every 12h"
jobTemplate:
spec:
template:
spec:
serviceAccountName: vault-backup-user
volumes:
- name: share
emptyDir: {}
- name: devops-host-path
hostPath:
path: /netapp/dc_files/devops/
containers:
- name: snapshot
image: vault:1.13.3
imagePullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- |
vault operator raft snapshot save /share/vault-raft.snap;
env:
- name: VAULT_ADDR
value: http://vault-server.vault-server.svc.cluster.local:8200
volumeMounts:
- mountPath: /share
name: share
- name: upload
image: ubuntu
imagePullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- |
until [ -f /share/vault-raft.snap ]; do sleep 5; done;
cp /share/vault-raft.snap /remote/vault_raft_$(date +"%Y%m%d_%H%M%S").snap;
volumeMounts:
- mountPath: /share
name: share
- mountPath: /remote
name: devops-host-path
restartPolicy: OnFailure
and provided access to this service account using this command:
vault write auth/kubernetes/role/snapshots \
bound_service_account_names=vault-backup-user \
bound_service_account_namespaces=vault-server \
policies=snapshot \
ttl=1h
to support this, I’ve [prepared a policy name snapshot which include:
path "sys/storage/raft/snapshot" {
capabilities = ["read"]
}
but the vault pod print this error:
Error taking the snapshot: incomplete snapshot, unable to read SHA256SUMS.sealed file
What is wrong? from the UI I can download the last snapshot just fine.