commit 430611153f69123dadb8cc409aef1eb62260cb5a
parent caa51c4ff4186d4c7185cf359b922894dedb8b65
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date: Sat, 27 Jul 2024 19:45:08 +0200
feat(snapshot): bao raft backup
Diffstat:
4 files changed, 54 insertions(+), 3 deletions(-)
diff --git a/hcl/infra/snapshots/README b/hcl/infra/snapshots/README
@@ -1,7 +1,7 @@
NOMAD SNAPSHOTS
---------------
-Run periodic Raft state snapshots for Nomad and store snapshots on NFS.
+Run periodic Raft state snapshots for Nomad or bao. Store snapshots on NFS.
This creates a parameterized job:
- https://www.nomadproject.io/docs/job-specification/parameterized
@@ -12,9 +12,22 @@ nomad run nomad-snapshots.nomad
The jobs can be dispatched to take snapshots of Nomad state:
- nomad job dispatch -meta service=nomad snapshot
- nomad job dispatch -meta service=nomad-var snapshot
+- nomad job dispatch -meta service=bao snapshot
The service meta parameter is required.
+NOMAD WORKLOAD IDENTITY
+-----------------------
+
+To login at bao, prepare the JWT role first:
+
+ bao write auth/jwt-nomad/role/snapshot @vault-jwt-snapshot.json
+
+The bound claims require the job running with/in:
+- Nomad Job ID: "snapshot/dispatch-*"
+- Nomad namespace: "infra"
+- Nomad task: "snapshot-save"
+
EXEC DRIVER
-----------
diff --git a/hcl/infra/snapshots/nomad-snapshots.nomad b/hcl/infra/snapshots/nomad-snapshots.nomad
@@ -2,6 +2,12 @@ job "snapshot" {
datacenters = ["dc1"]
type = "batch"
+ vault {
+ role = "snapshot"
+ # export VAULT_TOKEN for use in snapshot.sh script
+ env = true
+ }
+
parameterized {
payload = "forbidden"
meta_required = ["service"]
@@ -33,6 +39,14 @@ job "snapshot" {
task "snapshot-save" {
driver = "exec"
+ env {
+ NOMAD_ADDR = "https://127.0.0.1:4646"
+ # only save variables from default namespace
+ NOMAD_NAMESPACE = "default"
+ NOMAD_SKIP_VERIFY = 1
+ VAULT_SKIP_VERIFY = 1
+ }
+
template {
destination = "${NOMAD_TASK_DIR}/snapshot.sh"
data = file("./templates/snapshot.sh.tmpl")
@@ -52,8 +66,8 @@ job "snapshot" {
}
resources {
- memory = 16
- cpu = 100
+ memory = 128
+ cpu = 200
}
}
}
diff --git a/hcl/infra/snapshots/templates/snapshot.sh.tmpl b/hcl/infra/snapshots/templates/snapshot.sh.tmpl
@@ -21,6 +21,10 @@ case "$1" in
nomad var get -out json $v >> nomad-var-{{ timestamp "20060102" }}-{{ timestamp "unix" }}.dump
done
;;
+ bao)
+ # use VAULT_TOKEN from nomad workload identity
+ bao operator raft snapshot save bao-raft-{{ timestamp "20060102" }}-{{ timestamp "unix" }}.snap
+ ;;
*)
echo "Usage: $0 nomad"
;;
diff --git a/hcl/infra/snapshots/vault-jwt-snapshot.json b/hcl/infra/snapshots/vault-jwt-snapshot.json
@@ -0,0 +1,20 @@
+{
+ "role_type": "jwt",
+ "bound_audiences": ["vault.in0rdr.ch"],
+ "bound_claims_type": "glob",
+ "bound_claims": {
+ "nomad_job_id": "snapshot/dispatch-*",
+ "nomad_namespace": "infra",
+ "nomad_task": "snapshot-save"
+ },
+ "user_claim": "nomad_job_id",
+ "claim_mappings": {
+ "nomad_namespace": "nomad_namespace",
+ "nomad_job_id": "nomad_job_id",
+ "nomad_task": "nomad_task"
+ },
+ "token_type": "service",
+ "token_policies": ["snapshot"],
+ "token_period": "10m",
+ "token_explicit_max_ttl": 0
+}
