README
¶
Vault-Backup
Description
Vault-Backup is an automatic backup solution for HashiCorp Vault. The project is designed to run as a Docker container or a standalone binary and supports the backup of Vault data to remote destinations such as AWS S3. The project also has Prometheus metrics support, which can be enabled using an environment variable.
Features
- Automated HashiCorp Vault backups
- Supports AWS S3 as a backup destination
- Prometheus metrics support with counters for successful and failed backup attempts
- Automatically reads and applies environment variables from JSON files in a specified path when using the HashiCorp Vault Agent Sidecar Injector (see
VAULT_SECRETS_PATH)
Prerequisites
- A running HashiCorp Vault instance
- Access to an S3-compatible storage service (e.g., Amazon S3)
- (Optional) A running Prometheus instance for metrics collection
Example
An example Kubernetes CronJob configuration using Vault-Backup with the HashiCorp Vault Agent Sidecar Injector can be found in the example directory of this repository. The example demonstrates how to set up a scheduled backup job for HashiCorp Vault in a Kubernetes environment.
Installation
Docker
- Pull the Docker image:
docker pull skydev/vault-backup - Configure the necessary environment variables (see below for a list of supported variables).
- Run the Docker container with the configured environment variables:
docker run --env-file <your-env-file> skydev/vault-backup
Usage
The following environment variables are used to configure the behavior of the Vault-Backup application:
VAULT_NAME: Customize the name of your Vault instance. This is used primarily for Prometheus metrics.PROMETHEUS_PUSH_GATEWAY_URL: The URL to the Prometheus Pushgateway. This is optional and should only be set if you want to enable Prometheus metrics.VAULT_URLS: A comma-separated list of Vault URLs, e.g.,https://vault1:8200,https://vault2:8200. The application will try to connect using these URLs.AUTH_TYPE: Auth type for vault. Supported: kubernetes,vault_tokenKUBERNETES_ROLE: (optional) required ifAUTH_TYPE= kubernetes. Name of role\service account.VAULT_TOKEN: A Vault token with the following access policy applied:
path "sys/storage/raft/snapshot" {
capabilities = ["read"]
}
VAULT_SECRETS_PATH: Path to HashiCorp Vault files. This is useful when using the HashiCorp Vault Agent Sidecar Injector. For more information, visit Vault Agent Sidecar Injector documentation. Files are expected to be in JSON format. The application will read the JSON files and apply the environment variables. Expected format:{"key": "value"}. (On linux system by default /vault/secrets/). Disabled by default.- S3 Configuration:
S3_ACCESS_KEY: Your S3 access key.S3_SECRET_KEY: Your S3 secret key.S3_ENDPOINT: The S3 endpoint URL.S3_REGION: The S3 region.S3_DISABLE_SSL: Disable SSL for S3 connections (true or false).S3_BUCKET: The name of the S3 bucket to store the backups.
Prometheus Metrics
The following Prometheus metrics are available when the PROMETHEUS_PUSH_GATEWAY_URL environment variable is set:
vault_backup_success_total: A counter for the total number of successful backups.vault_backup_errors_total: A counter for the total number of failed backups. This metric includes a labelerr_textwith the error text.
Contributing
Contributions to the project are welcome. Please submit a pull request or create an issue to propose new features, report bugs, or suggest improvements.
License
This project is licensed under the MIT License.
References
For more information on setting up Vault backups, refer to this guide: DIY Vault Backup
Directories