Merge "Ansible playbooks for vault backup and restore"
This commit is contained in:
commit
766f111812
|
@ -0,0 +1,73 @@
|
|||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
- name: Validate initial_backup_dir is supplied
|
||||
fail:
|
||||
msg: "--initial_backup_dir variable not provided"
|
||||
when: not initial_backup_dir
|
||||
|
||||
- name: Validate initial_backup_dir exists
|
||||
stat:
|
||||
path: "{{ initial_backup_dir }}"
|
||||
register: initial_backup_dir_exists
|
||||
|
||||
- name: Fail if initial_backup_dir does not exists
|
||||
fail:
|
||||
msg: "Directory initial_backup_dir: {{ initial_backup_dir }} does not exist"
|
||||
when: not initial_backup_dir_exists.stat.exists
|
||||
|
||||
- name: Set vault backup directory fact
|
||||
set_fact:
|
||||
vault_backup_dir: "{{ initial_backup_dir }}/vault"
|
||||
|
||||
- name: Create vault subdirectory in initial_backup_dir
|
||||
file:
|
||||
path: "{{ vault_backup_dir }}"
|
||||
state: directory
|
||||
|
||||
- name: Check if encrypt is enabled
|
||||
set_fact:
|
||||
vault_encrypt: true
|
||||
when: encrypt_hc_vault_secret | length > 0
|
||||
|
||||
# check if vault is applied
|
||||
- name: Check if vault is applied
|
||||
shell: |
|
||||
source /etc/platform/openrc
|
||||
system application-show vault --format value --column status
|
||||
register: vault_applied_exists
|
||||
|
||||
- name: Fail if vault is not applied
|
||||
fail:
|
||||
msg: "Vault application is not applied"
|
||||
when: vault_applied_exists.stdout != "applied"
|
||||
|
||||
- name: Find vault manager pod
|
||||
shell: >-
|
||||
kubectl get pods -n vault | grep "vault-manager" | cut -d " " -f 1
|
||||
register: vault_manager_pod_name
|
||||
environment:
|
||||
KUBECONFIG: /etc/kubernetes/admin.conf
|
||||
|
||||
- name: Fail if vault manager pod is not found
|
||||
fail:
|
||||
msg: "Vault manager pod is not found"
|
||||
when: vault_manager_pod_name.stdout | length == 0
|
||||
|
||||
# check vault system health
|
||||
- name: Check vault system health
|
||||
shell: >-
|
||||
kubectl exec -n "vault" "{{ vault_manager_pod_name.stdout }}" --
|
||||
bash -c "source /opt/script/init.sh; snapshotPreCheck" 2>&1
|
||||
register: vault_system_health
|
||||
environment:
|
||||
KUBECONFIG: /etc/kubernetes/admin.conf
|
||||
|
||||
- name: Fail if vault health check returns error
|
||||
fail:
|
||||
msg: "Vault system health check returned error"
|
||||
when: vault_system_health.rc != 0
|
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
- name: Create vault snapshot
|
||||
block:
|
||||
- name: Create vault snapshot with default encryption
|
||||
script: vault_snapshot.sh {{ vault_backup_dir }}
|
||||
when: not vault_encrypt
|
||||
register: vault_snapshot_script
|
||||
failed_when: vault_snapshot_script.rc != 0
|
||||
|
||||
- name: Create vault snapshot with custom encryption
|
||||
script: vault_snapshot.sh {{ vault_backup_dir }} '--encrypt' "custom_var"
|
||||
when: vault_encrypt
|
||||
register: vault_snapshot_script
|
||||
failed_when: vault_snapshot_script.rc != 0
|
||||
environment:
|
||||
KUBECONFIG: /etc/kubernetes/admin.conf
|
||||
custom_var: "{{ encrypt_hc_vault_secret }}"
|
||||
always:
|
||||
- name: Unpause vault manager
|
||||
shell: >-
|
||||
kubectl exec -n "vault" "{{ vault_manager_pod_name.stdout }}" --
|
||||
bash -c "source /opt/script/init.sh; if [ -f $PAUSEFILE ]; then rm -f $PAUSEFILE; fi" 2>&1
|
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
- name: Set backup file path
|
||||
set_fact:
|
||||
backup_filepath: "{{ vault_backup_dir }}/{{ backup_filename }}"
|
||||
|
||||
- name: Find snapshot
|
||||
shell: |
|
||||
ls {{ backup_filepath }}
|
||||
register: snapshot_tar_name
|
||||
|
||||
- name: Fail if vault snapshot tar not found
|
||||
fail:
|
||||
msg: "Vault snapshot tarball: {{ backup_filename }} was not found"
|
||||
when: snapshot_tar_name.stdout | length == 0
|
||||
|
||||
# call vault_restore.sh
|
||||
- name: Restore vault from the snapshot
|
||||
block:
|
||||
- name: Restore vault snapshot with default encryption
|
||||
script: vault_restore.sh {{ backup_filepath }}
|
||||
when: not vault_encrypt
|
||||
register: vault_restore_script
|
||||
failed_when: vault_restore_script.rc != 0
|
||||
|
||||
- name: Restore vault snapshot with custom encryption
|
||||
script: vault_restore.sh {{ backup_filepath }} '--decrypt' "custom_var"
|
||||
when: vault_encrypt
|
||||
register: vault_restore_script
|
||||
failed_when: vault_restore_script.rc != 0
|
||||
environment:
|
||||
KUBECONFIG: /etc/kubernetes/admin.conf
|
||||
custom_var: "{{ encrypt_hc_vault_secret }}"
|
||||
always:
|
||||
- name: Unpause vault manager
|
||||
shell: >-
|
||||
kubectl exec -n "vault" "{{ vault_manager_pod_name.stdout }}" --
|
||||
bash -c "source /opt/script/init.sh; if [ -f $PAUSEFILE ]; then rm -f $PAUSEFILE; fi" 2>&1
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
- hosts: all
|
||||
gather_facts: no
|
||||
|
||||
vars_files:
|
||||
- host_vars/backup-restore/default.yml
|
||||
|
||||
vars:
|
||||
password_change: false
|
||||
vault_encrypt: false
|
||||
encrypt_hc_vault_secret: ""
|
||||
|
||||
roles:
|
||||
- role: common/prepare-env
|
||||
- role: vault/prepare_env
|
||||
become: yes
|
||||
- role: vault/vault_backup
|
||||
become: yes
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
- hosts: all
|
||||
gather_facts: no
|
||||
|
||||
vars_files:
|
||||
- host_vars/backup-restore/default.yml
|
||||
|
||||
vars:
|
||||
password_change: false
|
||||
vault_encrypt: false
|
||||
encrypt_hc_vault_secret: ""
|
||||
|
||||
roles:
|
||||
- role: common/prepare-env
|
||||
- role: vault/prepare_env
|
||||
- role: vault/vault_restore
|
||||
become: yes
|
Loading…
Reference in New Issue