mikegreen/vault_raft_bu_restore_example.sh

## vault_raft_bu_restore_example.sh
# 2020-06-23
# this shows creating a Vault instance running integrated storage/raft,
# then adding a KV and taking a snapshot
# then kill the raft DB files to simulate a storage failure
# repeat new Vault instance, restore snapshot, unseal and auth with orig keys
# and read some data to show how backup/restore works

# not meant to be a live script to run!
# this uses the vault_config.hcl from https://gist.github.com/mikegreen/c2df5eea2283f0dbc5f3a5d3650536fd

# startup integrated storage/raft vault
$ vault server -config=vault_raft.hcl
$ vault operator init -key-shares=1 -key-threshold=1

# Snapshot details:
# Unseal Key 1: sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
# Initial Root Token: s.f5Jv7son8PMGqBUI6R1ZqR2V

$ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
$ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V

$ vault secrets enable -path=kvDemo -version=2 kv
$ vault kv put /kvDemo/legacy_app_creds_01 username=legacyUser password=supersecret

# Take snapshot, this should be done pointing to the active node
# Will get a 0-byte snapshot if not, as standby nodes will not forward this request (though this might be fixed in later ver)
$ vault operator raft snapshot save raft01.snap

# Kill cluster, rm DB files
$ rm -rf /opt/vault/*
# restart Vault with same config (but empty raft data folder now)

# New instance details, we don't need these:
# Unseal Key 1: NxgdYN6W0mhamxMPfiNnOQipgAENU+eRwlPJHE6xR0Y=
# Initial Root Token: s.c75QL4pb4oPa2FVnF263Wofb

# restore snapshot
$ vault operator raft snapshot restore -force raft01.snap

# unseal with original cluster keys
$ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
$ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V

$ vault kv get /kvDemo/legacy_app_creds_01
...====== Metadata ======...
====== Data ======
Key         Value
---         -----
password    supersecret
username    legacyUser
	# 2020-06-23
	# this shows creating a Vault instance running integrated storage/raft,
	# then adding a KV and taking a snapshot
	# then kill the raft DB files to simulate a storage failure
	# repeat new Vault instance, restore snapshot, unseal and auth with orig keys
	# and read some data to show how backup/restore works

	# not meant to be a live script to run!
	# this uses the vault_config.hcl from https://gist.github.com/mikegreen/c2df5eea2283f0dbc5f3a5d3650536fd

	# startup integrated storage/raft vault
	$ vault server -config=vault_raft.hcl
	$ vault operator init -key-shares=1 -key-threshold=1

	# Snapshot details:
	# Unseal Key 1: sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
	# Initial Root Token: s.f5Jv7son8PMGqBUI6R1ZqR2V

	$ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
	$ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V

	$ vault secrets enable -path=kvDemo -version=2 kv
	$ vault kv put /kvDemo/legacy_app_creds_01 username=legacyUser password=supersecret

	# Take snapshot, this should be done pointing to the active node
	# Will get a 0-byte snapshot if not, as standby nodes will not forward this request (though this might be fixed in later ver)
	$ vault operator raft snapshot save raft01.snap

	# Kill cluster, rm DB files
	$ rm -rf /opt/vault/*
	# restart Vault with same config (but empty raft data folder now)

	# New instance details, we don't need these:
	# Unseal Key 1: NxgdYN6W0mhamxMPfiNnOQipgAENU+eRwlPJHE6xR0Y=
	# Initial Root Token: s.c75QL4pb4oPa2FVnF263Wofb

	# restore snapshot
	$ vault operator raft snapshot restore -force raft01.snap

	# unseal with original cluster keys
	$ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
	$ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V

	$ vault kv get /kvDemo/legacy_app_creds_01
	...====== Metadata ======...
	====== Data ======
	Key Value
	--- -----
	password supersecret
	username legacyUser