You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
Vault Backup Restore Overview
Vault provides a set of standard operating procedures (SOP) for backing up a Vault cluster. It protects your Vault cluster
against data corruption or sabotage of which Disaster Recovery Replication might not be able to protect against.
KubeVault supports number of different Storage Backend types. Therefore, the exact steps to backup Vault will depend on your
selected storage backend. The two recommended storage backend types are Consul and Integrated Storage
(also known as Raft).
KubeVault currently supports Backup & Restore for Raft storage backend. So, this document assumes that Raft storage backend is being used.
Backup & Restore process for Raft
Your VaultServer must be in Ready state for Backup & Restore process to work. This will take the snapshot
using a consistent mode that forwards the request to the cluster leader, and the leader will verify it is still
in power before taking the snapshot.
A simple VaultServer YAML with Raft storage backend may look like this:
apiVersion: kubevault.com/v1alpha2
kind: VaultServer
metadata:
  name: vault
  namespace: demo
spec:
  version: 1.10.3
  replicas: 3
  allowedSecretEngines:
    namespaces:
      from: All
  backend:
    raft:
      storage:
        storageClassName: "standard"
        resources:
          requests:
            storage: 1Gi
  unsealer:
    secretShares: 5
    secretThreshold: 3
    mode:
      kubernetesSecret:
        secretName: vault-keys
  terminationPolicy: WipeOut
Let’s take a look at some relevant fields:
spec.backend contains the Backend storage information, Raft in this case:
backend:
  raft:
    storage:
      resources:
        requests:
          storage: 1Gi
      storageClassName: standard
spec.unsealer contains VaultServer unsealing option. In this case which is Kubernetes Secret. So, on Vault deployment
a Secret will be created on the same namespace, which will create the Vault unseal-keys & root-token.
unsealer:
    secretShares: 5
    secretThreshold: 3
    mode:
      kubernetesSecret:
        secretName: vault-keys
KubeVault operator will create an AppBinding with all the necessary information for backup & restore.
AppBinding has the information about the Unsealer option of the VaultServer. During the Backup,
Vault unseal-keys & root-token will also be backed-up for the completeness of the Backup process.
KubeVault created AppBinding YAML may look like this:
apiVersion: appcatalog.appscode.com/v1alpha1
kind: AppBinding
metadata:
  name: vault
  namespace: demo
spec:
  appRef:
    apiGroup: kubevault.com
    kind: VaultServer
    name: vault
    namespace: demo
  clientConfig:
    service:
      name: vault
      port: 8200
      scheme: http
  parameters:
    apiVersion: config.kubevault.com/v1alpha1
    backend: raft
    backupTokenSecretRef:
      name: vault-backup-token
    kind: VaultServerConfiguration
    kubernetes:
      serviceAccountName: vault
      tokenReviewerServiceAccountName: vault-k8s-token-reviewer
      usePodServiceAccountForCSIDriver: true
    path: kubernetes
    stash:
      addon:
        backupTask:
          name: vault-backup-1.10.3
          params:
            - name: keyPrefix
              value: k8s.kubevault.com.demo.vault
        restoreTask:
          name: vault-restore-1.10.3
          params:
            - name: keyPrefix
              value: k8s.kubevault.com.demo.vault
    unsealer:
      mode:
        kubernetesSecret:
          secretName: vault-keys
      secretShares: 5
      secretThreshold: 3
    vaultRole: vault-policy-controller
Read more about AppBinding here.
Here:
- spec.parameters.stashsection contains the stash parameters for Backup & Restore tasks.
- spec.parameters.stash.addoncontains the information about the- Taskfor backup & restore. It also contains the- paramswhich indicates the- keyPrefixthat is prepended with the name of vault- unseal-keys&- root-token, e.g.- k8s.kubevault.com.demo.vault-root-token,- k8s.kubevault.com.demo.vault-root-token-unseal-key-0,- k8s.kubevault.com.demo.vault-root-token-unseal-key-1, etc.
stash:
  addon:
    backupTask:
      name: vault-backup-1.10.3
      params:
      - name: keyPrefix
        value: k8s.kubevault.com.demo.vault
    restoreTask:
      name: vault-restore-1.10.3
      params:
      - name: keyPrefix
        value: k8s.kubevault.com.demo.vault
KubeVault operator will create a K8s Secret containing a token during the Vault deployment, which contains the necessary permission
for the Backup & Restore process. This information is available in the AppBinding created by the operator. AppBinding
spec.parameters.backupTokenSecretRef contains the reference of that secret.
spec:
  parameters:
    backupTokenSecretRef:
      name: vault-backup-token
A sample policy document / permission may look like this:
path "sys/storage/raft/snapshot" {
        capabilities = ["read"]
}
path "sys/storage/raft/snapshot-force" {
        capabilities = ["read"]
}
If your Vault deployment isn’t managed by KubeVault, then you’ll need to create the AppBinding & Secret containing
the permissions required for backup & restore separately.
Up next:











