Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove expired snapshots #29

Merged
merged 10 commits into from
Sep 12, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion kubernetes/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
FROM alpine

ARG VAULT_VERSION=1.13.2
ARG VAULT_VERSION=1.16.3
in0rdr marked this conversation as resolved.
Show resolved Hide resolved

COPY vault-snapshot.sh /

Expand Down
25 changes: 25 additions & 0 deletions kubernetes/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,30 @@ After the snapshot is created in a temporary directory, `s3cmd` is used to sync
* `S3_URI` - S3 URI to use to upload (s3://xxx)
* `S3_BUCKET` - S3 bucket to point to
* `S3_HOST` - S3 endpoint
* `S3_EXPIRE_DAYS` - Delete files older than this threshold (expired)
* `AWS_ACCESS_KEY_ID` - Access key to use to access S3
* `AWS_SECRET_ACCESS_KEY` - Secret access key to use to access S3

## Configuration of file retention (pruning)

With AWS S3, use [lifecycle
rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html)
to configure retention and automatic cleanup action (prune) for expired files.

For other S3 compatible storage, ensure to set [Governance
lock](https://community.exoscale.com/documentation/storage/versioning/#set-up-the-lock-configuration-for-a-bucket)
to avoid any modification before `$S3_EXPIRE_DAYS`:

```
mc retention set --default GOVERNANCE "${S3_EXPIRE_DAYS}d" my-s3-remote/my-bucket
```

On removal by the `vault-snapshot.sh` script, [`DEL` deletion marker
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
(tombstone)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html#object-lock-managing-delete-markers)
is set:

```
mc ls --versions my-snapshots/vault-snapshots-2f848f
[2024-09-09 09:07:46 CEST] 0B X/1031980658232456253 v2 DEL vault_2024-09-06-1739.snapshot
[2024-09-06 19:39:49 CEST] 28KiB Standard 1031052557042383613 v1 PUT vault_2024-09-06-1739.snapshot
```
3 changes: 3 additions & 0 deletions kubernetes/cronjob.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ spec:
value: bucketname
- name: S3_URI
value: s3://bucketname
# leave empty to retain snapshot files (default)
- name: S3_EXPIRE_DAYS
value:
- name: VAULT_ROLE
value: vault-snapshot
- name: VAULT_ADDR
Expand Down
16 changes: 15 additions & 1 deletion kubernetes/vault-snapshot.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,22 @@ VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login role="${VAULT_ROLE
export VAULT_TOKEN

# create snapshot

vault operator raft snapshot save /vault-snapshots/vault_"$(date +%F-%H%M)".snapshot

# upload to s3
s3cmd put /vault-snapshots/* "${S3_URI}" --host="${S3_HOST}" --host-bucket="${S3_BUCKET}"

# remove expired snapshots
if [ "${S3_EXPIRE_DAYS}" ]; then
s3cmd ls "${S3_URI}" --host="${S3_HOST}" --host-bucket="${S3_BUCKET}" | while read -r line; do
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
createDate=$(echo $line | awk {'print $1" "$2'})
createDate=$(date -d"$createDate" +%s)
olderThan=$(date --date "${S3_EXPIRE_DAYS} days ago" +%s)
if [[ $createDate -lt $olderThan ]]; then
fileName=$(echo $line | awk {'print $4'})
if [[ $fileName != "" ]]; then
s3cmd del "${S3_URI}/$fileName" --host="${S3_HOST}" --host-bucket="${S3_BUCKET}"
in0rdr marked this conversation as resolved.
Show resolved Hide resolved
fi
fi
done;
fi
Loading