using watches and handlers in cosul we can monitor for changes in consul
Based on vault doc data of secret enginese saved in logical path of kv
So we should monitor consul kv kv/vault-ha/logical and the watch should execute and backup from the consul
In this way we can have automated and updated backup.
Run setup.sh with the kv store of vault in consul. so, if kv store of vault in Consul is v1/vault-ha/original so it will be
./setup.sh
Setup script will watch over data of vault secret engines' changes which is persistent in consul, whenever a change happen watch notify handler to trigger
handler run consul snapshot cmd to save a snapshot locally.
Note: for preventing lots of backup creation we will save just the last backup of the day called: /backup/backup-YYYY-mm-dd".back logs will be in /backup/vault-backup-logs.log
docker build -t vault-backup . create image and you can add it to the consul server with three env:
CONSUL_HTTP_TOKEN= <token of consul with acl access>
KV_PATH=<key/vale path of vault in consul>
CONSUL_HTTP_ADDR=<http address of consul for connecting consul agent to>Executing container with args:
docker run afrouzmash/vault-backup:v1 -it --name vault-backup -e CONSUL_HTTP_TOEKN=blahblah -e KV_APTH=vault-ha -e CONSUL_HTTP_ADDR=http://127.0.0.1:8500 -v /backup:/backup
docker exec -it vault-backup ./setup.shyou can run docker image as an deployment or a sideCar
kubectl apply -f ./