Raft Snapshotter is a Go binary that is meant to run as a cronjob and will take periodic snapshots of the Raft database and write it to the desired location.
retain The number of backups to keep.
log_level Set level of log verbosity.
Either AppRole or token file is required
address The address of the Vault cluster. This is used to check the Vault cluster leader IP, as well as generate snapshots.
ca_cert Specifies the certificate to validate against vault.
client_cert The client certificate used when connecting to Vault.
client_key The client key used when connecting to Vault.
insecure Ignore TLS checks. Only for testing purposes
role_id Specifies the role_id used to authenticate against vault. See the authentication steps below.
secret_id Specifies the secret_id used to authenticate against vault. See the authentication steps below.
token_file Specifies the token used to call the Vault API. Useful with the Vault Agent auto-auth functionality
Note that if you specify more than one storage option, all options will be written to. For example, specifying local_storage and aws_storage will write to both locations.
local_storage - Object for writing to a file on disk.
aws_storage - Object for writing to an S3 bucket (Support AWS S3 but also S3 Compatible Storage).
google_storage - Object for writing to GCS.
azure_storage - Object for writing to Azure.
path - Fully qualified path, not including file name, for where the snapshot should be written. i.e. /etc/raft/snapshots
access_key - The access key used for S3 authentication
secret_key - The secret key used for S3 authentication
endpoint - S3 compatible storage endpoint (ex: http://127.0.0.1:9000)
force_path_style - Needed if your S3 Compatible storage support only path-style or you would like to use S3's FIPS Endpoint.
region - S3 region as is required for programmatic interaction with AWS, default is us-east-1
bucket - bucket to store snapshots in (required for AWS writes to work)
key_prefix - Prefix to store s3 snapshots in. Defaults to raft_snapshots
server_side_encryption - Encryption is off by default. Set to true to turn on AWS' AES256 encryption. Support for AWS KMS keys is not currently supported.
static_snapshot_name - Use a single, static key for s3 snapshots as opposed to autogenerated timestamped-based ones. Unless S3 versioning is used, this means there will only ever be a single point-in-time snapshot stored in S3.
ca_cert - Path to Ca certificate used to validate the S3 backend
bucket - The Google Storage Bucket to write to. Auth is expected to be default machine credentials.
account_name - The account name of the storage account
account_key - The account key of the storage account
container_name The name of the blob container to write to
You must do some quick initial setup prior to being able to use the Snapshotter.
The following policy is required
path "/sys/storage/raft/snapshot"
{
capabilities = ["read"]
}If AppRole is used, the role and secret id is gernerated like this:
vault write auth/approle/role/snapshot token_policies="snapshot"
vault read -field=role_id auth/approle/role/snapshot/role-id
vault write -f -field=secret_id auth/approle/role/snapshot/secret-idCopy your secret and role ids, and place them into the config file. The snapshotter will use them to request client tokens, so that it can interact with your Vault cluster. The above policy is the minimum required policy to be able to generate snapshots. The snapshotter will automatically renew the token when it is going to expire.
The AppRole allows the snapshotter to automatically rotate tokens to avoid long-lived credentials.
To learn more about AppRole's and why this project chose to use them, see the Vault docs