Skip to content

Latest commit

 

History

History
108 lines (59 loc) · 4 KB

README.md

File metadata and controls

108 lines (59 loc) · 4 KB

Raft Snapshotter

Raft Snapshotter is a Go binary that is meant to run as a cronjob and will take periodic snapshots of the Raft database and write it to the desired location.

Running

Configuration

retain The number of backups to keep.

log_level Set level of log verbosity.

Vault config

Either AppRole or token file is required

address The address of the Vault cluster. This is used to check the Vault cluster leader IP, as well as generate snapshots.

ca_cert Specifies the certificate to validate against vault.

client_cert The client certificate used when connecting to Vault.

client_key The client key used when connecting to Vault.

insecure Ignore TLS checks. Only for testing purposes

role_id Specifies the role_id used to authenticate against vault. See the authentication steps below.

secret_id Specifies the secret_id used to authenticate against vault. See the authentication steps below.

token_file Specifies the token used to call the Vault API. Useful with the Vault Agent auto-auth functionality

Storage options

Note that if you specify more than one storage option, all options will be written to. For example, specifying local_storage and aws_storage will write to both locations.

local_storage - Object for writing to a file on disk.

aws_storage - Object for writing to an S3 bucket (Support AWS S3 but also S3 Compatible Storage).

google_storage - Object for writing to GCS.

azure_storage - Object for writing to Azure.

Local Storage

path - Fully qualified path, not including file name, for where the snapshot should be written. i.e. /etc/raft/snapshots

S3 Storage

access_key - The access key used for S3 authentication

secret_key - The secret key used for S3 authentication

endpoint - S3 compatible storage endpoint (ex: http://127.0.0.1:9000)

force_path_style - Needed if your S3 Compatible storage support only path-style or you would like to use S3's FIPS Endpoint.

region - S3 region as is required for programmatic interaction with AWS, default is us-east-1

bucket - bucket to store snapshots in (required for AWS writes to work)

key_prefix - Prefix to store s3 snapshots in. Defaults to raft_snapshots

server_side_encryption - Encryption is off by default. Set to true to turn on AWS' AES256 encryption. Support for AWS KMS keys is not currently supported.

static_snapshot_name - Use a single, static key for s3 snapshots as opposed to autogenerated timestamped-based ones. Unless S3 versioning is used, this means there will only ever be a single point-in-time snapshot stored in S3.

ca_cert - Path to Ca certificate used to validate the S3 backend

Google Storage

bucket - The Google Storage Bucket to write to. Auth is expected to be default machine credentials.

Azure Storage

account_name - The account name of the storage account

account_key - The account key of the storage account

container_name The name of the blob container to write to

Authentication

You must do some quick initial setup prior to being able to use the Snapshotter.

The following policy is required

path "/sys/storage/raft/snapshot"
{
  capabilities = ["read"]
}

If AppRole is used, the role and secret id is gernerated like this:

vault write auth/approle/role/snapshot token_policies="snapshot"
vault read -field=role_id auth/approle/role/snapshot/role-id
vault write -f -field=secret_id  auth/approle/role/snapshot/secret-id

Copy your secret and role ids, and place them into the config file. The snapshotter will use them to request client tokens, so that it can interact with your Vault cluster. The above policy is the minimum required policy to be able to generate snapshots. The snapshotter will automatically renew the token when it is going to expire.

The AppRole allows the snapshotter to automatically rotate tokens to avoid long-lived credentials.

To learn more about AppRole's and why this project chose to use them, see the Vault docs