Hello,

We reference the DNS name of the node with all nodes using the same TLS certificate with SAN entries for each node. When running the script on the leader (and any node) it determines that it is not the leader, and doesn't run the snapshot. All of the nodes are behind a global traffic manager so that the cluster runs in different data centers for HA. The leader refers to the FQDN of the node, however the node itself is just configured with it's own hostname. Are there any changes that I would need to make to the nodes for the script to work (or conversely any changes in the script to make it work with my configuration)?

Hi,

Can we run this agent inside a Kubernetes cluster?

Many thanks for creating this project.

All working well except when using the S3 bucket storage for configuration I am seeing 0 byte snapshots intermittently. Version and encryption is enabled on the bucket. I have tried disabling these but the agent continues to upload 0 byte snapshots.

was able to get server configured and starting but it's refusing connection at my addr value.

since i'm taking this value straight from vault config (and can connect with it via clients), i'm guessing that it's because i'm using a private cert that tls doesn't like.

in the vault client or curl, you can disable tls certificate verification (-tls-skip-verify in vault cli).

I don't see an option in the config file to do something similiar. Is there an undocumented way to acheive same? Or can I somehow modify this in go with an environment variable?

appreciate any guidance and thanks for all your hard work.

By default, the go version on ubuntu-latest is v1.15 due to os.readFile only happening since Go v1.16
The Dockerfile is already using go1.16.

I suggest to add actions on the workflow to use go 1.16

Hello, thank you for this tool.
I've already installed in my instances and the backups are working properly. There's one minor issue, every instance is executing the snapshot upload, instead of only the leader. I'm using Vault inside containers, could it be related?

➜ vault operator raft list-peers
Node                                                        Address                    State       Voter
----                                                        -------                         -----       -----
vault-internal-1.example.com    vault-internal-1.example.com:8201    follower    true
vault-internal-2.example.com    vault-internal-2.example.com:8201    leader      true
vault-internal-3.example.com    vault-internal-3.example.com:8201    follower    true

The default timeout of Vault-sdk when doing snapshot is 60s which may lead to be timed out. We'd better find a way to make is custom-able with higher values when needed.

Ref: #9

I have enabled and configured the snapshot agent as described in the instructions but when the service is started , I get the following message:

"Not running on leader node, skipping"

This is a one node cluster and it is indeed leader :
vault operator raft list-peers
Node Address State Voter

node_1 127.0.0.1:8201 leader true

Any idea how that can be fixed, because I do not know how to get a more verbose output and I am stuck with debugging.

It's been quite a while since @Lucretius was active on GitHub and the last commit to this repository was back in October 2021.

Personally, I still find this project to be really useful and use it along with Vault quite often. What does the community think about creating a fork to maintain and improve the project?

In the README.md documentation of the Kubernetes authentication mode it is specified:

vault_auth_role Specifies vault k8s auth role
vault_auth_path Specifies vault k8s auth path

This seems to be a mistake, as the configuration parameters need to be called k8s_auth_role and k8s_auth_path. See config.go.

Unfortunately go is not a language I am experienced in, but I love your project and wanted to drop the idea of adding a flag to enable structured logging.

In my setup your snapshot agent logs to a file thanks to systemd

ExecStart=/usr/local/bin/vault_raft_snapshot_agent
ExecReload=/usr/local/bin/vault_raft_snapshot_agent
StandardOutput=append:/var/log/vault_snapshots.log

Filebeat is harvesting the file and sends the data to elasticsearch, which is a data source in my grafana.
Backups are run hourly, so if there is no successful backup in the last hour according to the logs, grafana triggers an alert.

Hi,

I'd like to be able to write locally multiple times a day, but only push to AWS once a day.
Also retention would be managed differently.
I browsed the configuration documentation, and it does not seem to be possible, but would like to confirm.

Thanks.

It would be nice if the snapshots can be encrypted before being stored. For example, being encypted with a GPG key.

Hello and thanks for creating this project.

We tried using the agent in our setup, but could not get it to create snapshots even though the agent was on the leader node.
After some digging I found out how you determine if the agent is running on the leader node by checking against 8.8.8.8 with the function getInstanceIP()
The issue we faced is that we don't use IPs to reference our nodes, but instead use DNS registered names (for TLS to work)

My question is:
Is there is a reason you get node IP and compare it to LeaderClusterAddress rather than just checking the IsSelf value.
This of course assumes you query the nodes local api_addr.

Thanks again
// Jonathan

What is license that vault_raft_snapshot_agent is being created under?

I'm running the service as described here using an on-prem S3 service(not minio) as the aws endpoint. I was seeing tons of failed snaps and it appears to be in the aws s3manager sdk Upload portion. I was initially doing a 30s increment, thought that might be too much, backed it off to 30m and it is still failing 9/10 times to upload.
I also see no logs related to failed deletion even though my retain is set to 1440 and there are currently 33000+ in there after a month.

logs collected with :'sudo journalctl -u vault-snapshot.service'

2021/04/12 08:49:52 Failed to generate aws snapshot to : MultipartUpload: upload multipart failed Apr 12 08:49:52 host.local vault_raft_snapshot_agent[114297]: upload id: 22478197652 Apr 12 08:49:52 host.local vault_raft_snapshot_agent[114297]: caused by: InternalError: Apr 12 08:49:52 host.local vault_raft_snapshot_agent[114297]: status code: 500, request id: , host id: