kieron-dev
commented
2 years ago I've added scripts for export and import vault secrets in the secrets repo.
Notes for postgres here: https://www.vaultproject.io/docs/configuration/storage/postgresql
Closed kieron-dev closed 1 day ago
kieron-dev
commented
2 years ago I've added scripts for export and import vault secrets in the secrets repo.
Notes for postgres here: https://www.vaultproject.io/docs/configuration/storage/postgresql
kieron-dev
commented
2 years ago See https://github.com/cloudfoundry/cf-k8s-secrets/commit/c884f1b4a319814a3d9b0d0f53a26ec462c03fb8, https://github.com/cloudfoundry/cf-k8s-secrets/commit/c5896617183fb5e382a95ea08d2cb385f69404f8, https://github.com/cloudfoundry/cf-k8s-secrets/commit/9e1eae4d0882344f7b7e6f0e0d33d02d980e3b21 and https://github.com/cloudfoundry/cf-k8s-secrets/commit/ac27b89b55c8bc59b534d34014d20e8bb2fa34b4
Background
We have enabled HA in the helm chart, and specified raft as the backend. This uses PVCs. So backups are down to us.
We could instead configure Vault to use postgres. We already have a postgres database in GCP SQL which is used for concourse. We can use the same database. That will give us automatic backups and point-in-time recovery.
Action to take
Change the Vault deployment to use postgres with HA rather than raft.
Impact
Backups will automatically be taken care of by GCP.
Dev Notes
This issue might provide an example of how to do the configuration, since the helm documentation doesn't seem to cover it.