Merge pull request #13 from adfinis/feat/add/k8s-cronjob

feat(kubernetes): example cronjob & container image creation

kubernetes/Dockerfile

@@ -0,0 +1,12 @@
+FROM alpine
+
+ARG VAULT_VERSION=1.13.2
+
+COPY entrypoint.sh /
+
+RUN wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
+    unzip vault_${VAULT_VERSION}_linux_amd64.zip && \ 
+    mv vault /usr/local/bin && rm  vault*zip  && \
+    apk add s3cmd && chmod +x entrypoint.sh
+
+CMD ["/vault-snapshot.sh"]

kubernetes/README.md

@@ -0,0 +1,19 @@
+# Cronjob for snapshotting Vault running on Kubernetes
+
+This assumes the Kubernetes authentication backend is configured in Vault.
+
+The script being executed in this cronjob, is authenticating with Vault using the Kubernetes authentication backend, via its serviceaccount JWT.
+
+The role and policy being used must be created before hand and must be used by the cronjob.
+
+After the snapshot is created in a temporary directory, `s3cmd` is used to sync it to a s3 endpoint.
+
+## Configuration over environment variables
+
+* `VAULT_ADDR`  - Vault address to access
+* `VAULT_ROLE` - Vault role to use to create the snapshot
+* `S3_URI` - S3 URI to use to upload (s3://xxx)
+* `S3_BUCKET` - S3 bucket to point to
+* `S3_HOST` - S3 endpoint
+* `AWS_ACCESS_KEY_ID` - Access key to use to access S3
+* `AWS_SECRET_ACCESS_KEY` - Secret access key to use to access S3

kubernetes/cronjob.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  labels:
+    app.kubernetes.io/name: vault-snapshot
+    app.kubernetes.io/version: v0.1.0
+  name: vault-snapshot
+spec:
+  jobTemplate:
+    schedule: 0 4 * * *
+    metadata:
+      labels:
+        app.kubernetes.io/name: vault-snapshot
+        app.kubernetes.io/version: v0.1.0
+    spec:
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: vault-snapshot
+            app.kubernetes.io/version: v0.1.0
+        spec:
+          automountServiceAccountToken: true
+          serviceAccountName: vault-raft-snapshot
+          containers:
+          - name: vault-snapshot
+            env:
+            - name: S3_HOST
+              value: s3.example.com
+            - name: S3_BUCKET
+              value: bucketname
+            - name: S3_URI
+              value: s3://bucketname
+            - name: VAULT_ROLE
+              value: vault-snapshot
+            - name: VAULT_ADDR
+              value: https://vault.example.com
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: aws_secret_access_key
+                  name: vault-snapshot-credentials
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  key: aws_access_key_id
+                  name: vault-snapshot-credentials
+              image: ghcr.io/adfinis/vault-snapshot:0.1.-0
+            volumeMounts:
+              - name: snapshot-dir
+                mountPath: /vault-snaphots
+            imagePullPolicy: IfNotPresent
+          volumes:
+          - name: snapshot-dir
+            emptyDir: {}

kubernetes/serviceaccount.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-raft-snapshot

kubernetes/vault-snapshot.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env sh
+
+# authenticate using kubernetes auth
+export JWT=$(cat /var/run/secrets/kubernetes/io/serviceaccount/token)
+export VAULT_TOKEN=$(vault write -field=token  auth/kubernetes/login role=$VAULT_ROLE jwt=$JWT)
+
+# use the leader node as VAULT_ADDR
+export VAULT_ADDR=$(vault status -format=yaml | egrep -o '^leader_addr.*' | awk '{print $2}')
+
+# create snapshot
+
+vault operator raft snapshot save /vault-snapshots/vault_$(date +%F-%H%M).snapshot
+
+# upload to s3
+s3cmd put /vault-snapshots/* $S3_URI --host=$S3_HOST --host-bucket=$S3_BUCKET