Vault

• Enable kubernetes auth in UI
• Configure kubernetes auth

TOKEN_REVIEWER_JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
vault write auth/kubernetes/config \
    token_reviewer_jwt="${TOKEN_REVIEWER_JWT}" \
    kubernetes_host="https://${KUBERNETES_PORT_443_TCP_ADDR}:443" \
    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

• Add backup policy in UI

path "sys/storage/raft/snapshot" {
  capabilities = ["read"]
}

• Create backup kubernetes role

vault write auth/kubernetes/role/backup \
bound_service_account_names=vault \
bound_service_account_namespaces=vault \
token_ttl=120m \
policies=backup

download

apiVersion: batch/v1
kind: CronJob
metadata:
  name: vault-backup
  namespace: vault
spec:
  schedule: "0 */2 * * *"
  successfulJobsHistoryLimit: 1
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: vault
          volumes:
            - name: share
              emptyDir: {}
            - name: vault-server-tls
              secret:
                secretName: vault-server-tls
          initContainers:
            # Run an init container that creates the the snapshot of Vault
            - name: vault-snapshot
              image: hashicorp/vault:1.14.1
              command: ["/bin/sh", "-c"]
              args:
                # 1. Get the ServiceAccount token which we will use to authenticate against Vault
                # 2. Login to Vault using the SA token at the endpoint where the Kubernetes auth engine
                #    has been enabled
                # 3. Use the Vault CLI to store a snapshot in our empty volume
                - |
                  SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token);
                  export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login jwt=$SA_TOKEN role=backup);
                  vault operator raft snapshot save /share/vault.snap;
              env:
                - name: VAULT_ADDR
                  value: https://vault.vault.svc.cluster.local:8200
                - name: VAULT_CLIENT_CERT
                  value: /etc/vault-ssl/vault.crt
                - name: VAULT_CLIENT_KEY
                  value: /etc/vault-ssl/vault.key
                - name: VAULT_CACERT
                  value: /etc/vault-ssl/ca.crt
              volumeMounts:
                - mountPath: /share
                  name: share
                - mountPath: /etc/vault-ssl/
                  name: vault-server-tls
          containers:
            # Run a container with the AWS CLI and copy the snapshot to our S3 bucket
            - name: aws-s3-backup
              image: amazon/aws-cli:2.2.14
              command:
                - /bin/sh
              args:
                - -ec
                - aws s3 cp /share/vault.snap s3://my-backup-bucket/vault/vault_$(date +"%Y%m%d_%H%M%S").snap;
              volumeMounts:
                - mountPath: /share
                  name: share
          restartPolicy: OnFailure