Merge "Ansible playbooks for vault backup and restore"

playbookconfig/src/playbooks/roles/vault/prepare_env/tasks/main.yml

@@ -0,0 +1,73 @@
+---
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+- name: Validate initial_backup_dir is supplied
+  fail:
+    msg: "--initial_backup_dir variable not provided"
+  when: not initial_backup_dir
+
+- name: Validate initial_backup_dir exists
+  stat:
+    path: "{{ initial_backup_dir }}"
+  register: initial_backup_dir_exists
+
+- name: Fail if initial_backup_dir does not exists
+  fail:
+    msg: "Directory initial_backup_dir: {{ initial_backup_dir }} does not exist"
+  when: not initial_backup_dir_exists.stat.exists
+
+- name: Set vault backup directory fact
+  set_fact:
+    vault_backup_dir: "{{ initial_backup_dir }}/vault"
+
+- name: Create vault subdirectory in initial_backup_dir
+  file:
+    path: "{{ vault_backup_dir }}"
+    state: directory
+
+- name: Check if encrypt is enabled
+  set_fact:
+    vault_encrypt: true
+  when: encrypt_hc_vault_secret | length > 0
+
+# check if vault is applied
+- name: Check if vault is applied
+  shell: |
+    source /etc/platform/openrc
+    system application-show vault --format value --column status
+  register: vault_applied_exists
+
+- name: Fail if vault is not applied
+  fail:
+    msg: "Vault application is not applied"
+  when: vault_applied_exists.stdout != "applied"
+
+- name: Find vault manager pod
+  shell: >-
+    kubectl get pods -n vault | grep "vault-manager" | cut -d " " -f 1
+  register: vault_manager_pod_name
+  environment:
+    KUBECONFIG: /etc/kubernetes/admin.conf
+
+- name: Fail if vault manager pod is not found
+  fail:
+    msg: "Vault manager pod is not found"
+  when: vault_manager_pod_name.stdout | length == 0
+
+# check vault system health
+- name: Check vault system health
+  shell: >-
+    kubectl exec -n "vault" "{{ vault_manager_pod_name.stdout }}" --
+    bash -c "source /opt/script/init.sh; snapshotPreCheck" 2>&1
+  register: vault_system_health
+  environment:
+    KUBECONFIG: /etc/kubernetes/admin.conf
+
+- name: Fail if vault health check returns error
+  fail:
+    msg: "Vault system health check returned error"
+  when: vault_system_health.rc != 0

playbookconfig/src/playbooks/roles/vault/vault_backup/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+- name: Create vault snapshot
+  block:
+    - name: Create vault snapshot with default encryption
+      script: vault_snapshot.sh {{ vault_backup_dir }}
+      when: not vault_encrypt
+      register: vault_snapshot_script
+      failed_when: vault_snapshot_script.rc != 0
+
+    - name: Create vault snapshot with custom encryption
+      script: vault_snapshot.sh {{ vault_backup_dir }} '--encrypt' "custom_var"
+      when: vault_encrypt
+      register: vault_snapshot_script
+      failed_when: vault_snapshot_script.rc != 0
+  environment:
+    KUBECONFIG: /etc/kubernetes/admin.conf
+    custom_var: "{{ encrypt_hc_vault_secret }}"
+  always:
+    - name: Unpause vault manager
+      shell: >-
+        kubectl exec -n "vault" "{{ vault_manager_pod_name.stdout }}" --
+        bash -c "source /opt/script/init.sh; if [ -f $PAUSEFILE ]; then rm -f $PAUSEFILE; fi" 2>&1

playbookconfig/src/playbooks/roles/vault/vault_restore/tasks/main.yml

@@ -0,0 +1,43 @@
+---
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+- name: Set backup file path
+  set_fact:
+    backup_filepath: "{{ vault_backup_dir }}/{{ backup_filename }}"
+
+- name: Find snapshot
+  shell: |
+    ls {{ backup_filepath }}
+  register: snapshot_tar_name
+
+- name: Fail if vault snapshot tar not found
+  fail:
+    msg: "Vault snapshot tarball: {{ backup_filename }} was not found"
+  when: snapshot_tar_name.stdout | length == 0
+
+# call vault_restore.sh
+- name: Restore vault from the snapshot
+  block:
+    - name: Restore vault snapshot with default encryption
+      script: vault_restore.sh {{ backup_filepath }}
+      when: not vault_encrypt
+      register: vault_restore_script
+      failed_when: vault_restore_script.rc != 0
+
+    - name: Restore vault snapshot with custom encryption
+      script: vault_restore.sh {{ backup_filepath }} '--decrypt' "custom_var"
+      when: vault_encrypt
+      register: vault_restore_script
+      failed_when: vault_restore_script.rc != 0
+  environment:
+    KUBECONFIG: /etc/kubernetes/admin.conf
+    custom_var: "{{ encrypt_hc_vault_secret }}"
+  always:
+    - name: Unpause vault manager
+      shell: >-
+        kubectl exec -n "vault" "{{ vault_manager_pod_name.stdout }}" --
+        bash -c "source /opt/script/init.sh; if [ -f $PAUSEFILE ]; then rm -f $PAUSEFILE; fi" 2>&1

playbookconfig/src/playbooks/vault_backup.yml

@@ -0,0 +1,23 @@
+---
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+- hosts: all
+  gather_facts: no
+
+  vars_files:
+    - host_vars/backup-restore/default.yml
+
+  vars:
+    password_change: false
+    vault_encrypt: false
+    encrypt_hc_vault_secret: ""
+
+  roles:
+    - role: common/prepare-env
+    - role: vault/prepare_env
+      become: yes
+    - role: vault/vault_backup
+      become: yes

playbookconfig/src/playbooks/vault_restore.yml

@@ -0,0 +1,22 @@
+---
+#
+# Copyright (c) 2024 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+- hosts: all
+  gather_facts: no
+
+  vars_files:
+    - host_vars/backup-restore/default.yml
+
+  vars:
+    password_change: false
+    vault_encrypt: false
+    encrypt_hc_vault_secret: ""
+
+  roles:
+    - role: common/prepare-env
+    - role: vault/prepare_env
+    - role: vault/vault_restore
+      become: yes