Restoring vault#

Pre-requisites#

  • Unseal keys and root token for the snapshot

  • Project admin access to the namespace being restored (referred to as ${VAULT_NS} in this doc)

  • Vault CLI

  • Kustomize CLI

  • OC CLI

Steps#

  • Retrieve the most recent Vault Snapshot from one of the following locations:

    • Snapshot Backup S3 bucket on Smaug Cluster. Use this s3 endpoint: s3-openshift-storage.apps.smaug.na.operate-first.cloud

    • Snapshot Backup PVC here. You can use this pod to access the pvc.

  • Login to an OCP cluster

  • Go to operate-first/apps

  • Find the overlay needing to be deployed

  • Navigate to this cluster overlay and run kustomize build . | oc -n ${VAULT_NS} apply -f -

  • Follow the instructions here, ignoring the helm install.. portion

    • Use http://opf-vault-0.opf-vault-internal:8200 when joining opf-vault-1 and opv-vault-0

So far we’ve installed a new Vault instance, to restore an instance from our old backup:

  • Login to the new instance: vault login -address=$VAULT_ADDR, use the root token to log in

  • Follow the instructions here to restore the snapshot

  • Login to each pod again and unseal using the unseal keys for the snapshot vault.