Skip to content

Latest commit

 

History

History
77 lines (66 loc) · 2.59 KB

README.md

File metadata and controls

77 lines (66 loc) · 2.59 KB
Raw
             _ _                           _       _         _   
 _ _ ___ _ _| | |_ ___ ___ ___ ___ ___ ___| |_ ___| |_   ___| |_ 
| | | .'| | | |  _|___|_ -|   | .'| . |_ -|   | . |  _|_|_ -|   |
 \_/|__,|___|_|_|     |___|_|_|__,|  _|___|_|_|___|_| |_|___|_|_|
                                  |_|                            

Tool used to easily download self-hosted HashiCorp Vault
  snapshot which can be automated with a simple cronjob

Requirements: curl, jq

Vault cluster should be unsealed and on standby.

Configuration for vault-snapshot.sh is set with:
  /path/to/vault-snapshot.sh/config/vault-snapshot.cfg

You must have a token generated with storage/raft READ permissions.
  The token must be placed in /config/vault_token file.
  (Location can be modified in /config/vault-snapshot.cfg)

Usage:
  vault-snapshot.sh [<arguments>]
  vault-snapshot.sh -h | Help - Show this screen.
  vault-snapshot.sh -v | Verbose - Show [info] level output (Default is error only)
  vault-snapshot.sh -c | Check - Only check which Vault node is the master
  vault-snapshot.sh -g | Get - Only get vault snapshot without checking for master node.
                         NOT RECOMMENDED!
Examples:
  vault-snapshot.sh       | Tool fully ran, silent output unless error.
  vault-snapshot.sh -vc   | Verbose output while only checking for master node.
  vault-snapshot.sh -c    | Only master node checked, silent output unless error
  vault-snapshot.sh -vg   | Verbose output while only getting Vault snapshot.
                            NOT RECOMMENDED!

Usage

  1. Install prerequisites
# Ubuntu/Debian
sudo apt install git curl jq
# CentOS/RHEL
sudo yum install epel-release -y # needed to install JQ package
sudo yum -y install git curl jq
# Fedora
sudo dnf -y install git curl jq
  1. Clone and navigate to this repository:
git clone https://github.com/Sidicer/vault-snapshot.sh.git
cd vault-snapshot.sh
  1. Add your Vault token (with /storage/ READ permissions):
echo "hcv.your-token" > config/vault_token
  1. Configure _VAULT_URL:
vim config/vault-snapshot.cfg
# Change _VAULT_URL= to match your cluster setup
# :wq
  1. Test vault-snapshot.sh:
bin/vault-snapshot.sh -v
  1. Automate snapshot creation (weekly):
crontab -l | { cat; echo "0 5 * * 7 /path/to/vault-snapshot.sh/bin/vault-snapshot.sh"; } | crontab -