petems/vault-raft-snapshot.sh

## vault-raft-snapshot.sh
# 2020-06-23
# this shows creating a Vault instance running integrated storage/raft,
# then adding a KV and taking a snapshot
# then kill the raft DB files to simulate a storage failure
# repeat new Vault instance, restore snapshot, unseal and auth with orig keys
# and read some data to show how backup/restore works

cat << EOF > ./vault_raft.hcl
ui=true
disable_mlock = true
storage "raft" {
 path = "/opt/vault/"
 node_id = "raft_01"
}
listener "tcp" {
 address = "127.0.0.1:8200"
 tls_disable = true
}
cluster_addr = "http://127.0.0.1:8201"
api_addr = "http://127.0.0.1:8200"
EOF

# startup integrated storage/raft vault
$ vault server -config=vault_raft.hcl
$ vault operator init -key-shares=1 -key-threshold=1

# Snapshot details:
# Unseal Key 1: sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
# Initial Root Token: s.f5Jv7son8PMGqBUI6R1ZqR2V

$ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
$ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V

$ vault secrets enable -path=kvDemo -version=2 kv
$ vault kv put /kvDemo/legacy_app_creds_01 username=legacyUser password=supersecret

# Take snapshot, this should be done pointing to the active node
# Will get a 0-byte snapshot if not, as standby nodes will not forward this request (though this might be fixed in later ver)
$ vault operator raft snapshot save raft01.snap

# Kill cluster, rm DB files
$ rm -rf /opt/vault/*
# restart Vault with same config (but empty raft data folder now)

# New instance details, we don't need these:
# Unseal Key 1: NxgdYN6W0mhamxMPfiNnOQipgAENU+eRwlPJHE6xR0Y=
# Initial Root Token: s.c75QL4pb4oPa2FVnF263Wofb

# restore snapshot
$ vault operator raft snapshot restore -force raft01.snap

# unseal with original cluster keys
$ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
$ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V

$ vault kv get /kvDemo/legacy_app_creds_01
...====== Metadata ======...
====== Data ======
Key         Value
---         -----
password    supersecret
username    legacyUser
	# 2020-06-23
	# this shows creating a Vault instance running integrated storage/raft,
	# then adding a KV and taking a snapshot
	# then kill the raft DB files to simulate a storage failure
	# repeat new Vault instance, restore snapshot, unseal and auth with orig keys
	# and read some data to show how backup/restore works

	cat << EOF > ./vault_raft.hcl
	ui=true
	disable_mlock = true
	storage "raft" {
	path = "/opt/vault/"
	node_id = "raft_01"
	}
	listener "tcp" {
	address = "127.0.0.1:8200"
	tls_disable = true
	}
	cluster_addr = "http://127.0.0.1:8201"
	api_addr = "http://127.0.0.1:8200"
	EOF

	# startup integrated storage/raft vault
	$ vault server -config=vault_raft.hcl
	$ vault operator init -key-shares=1 -key-threshold=1

	# Snapshot details:
	# Unseal Key 1: sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
	# Initial Root Token: s.f5Jv7son8PMGqBUI6R1ZqR2V

	$ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
	$ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V

	$ vault secrets enable -path=kvDemo -version=2 kv
	$ vault kv put /kvDemo/legacy_app_creds_01 username=legacyUser password=supersecret

	# Take snapshot, this should be done pointing to the active node
	# Will get a 0-byte snapshot if not, as standby nodes will not forward this request (though this might be fixed in later ver)
	$ vault operator raft snapshot save raft01.snap

	# Kill cluster, rm DB files
	$ rm -rf /opt/vault/*
	# restart Vault with same config (but empty raft data folder now)

	# New instance details, we don't need these:
	# Unseal Key 1: NxgdYN6W0mhamxMPfiNnOQipgAENU+eRwlPJHE6xR0Y=
	# Initial Root Token: s.c75QL4pb4oPa2FVnF263Wofb

	# restore snapshot
	$ vault operator raft snapshot restore -force raft01.snap

	# unseal with original cluster keys
	$ vault operator unseal sxYcm0n9CAg2QKzdAyEyJuGlzQj+8OPanmOABsCxTwc=
	$ vault login s.f5Jv7son8PMGqBUI6R1ZqR2V

	$ vault kv get /kvDemo/legacy_app_creds_01
	...====== Metadata ======...
	====== Data ======
	Key Value
	--- -----
	password supersecret
	username legacyUser