apiVersion: batch/v1 kind: CronJob metadata: name: vault-snapshot-cronjob namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: vault-snapshot-cronjob app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: storage app.kubernetes.io/part-of: {{ .Release.Name }} spec: schedule: "@every 24h" successfulJobsHistoryLimit: 3 failedJobsHistoryLimit: 3 jobTemplate: spec: template: spec: restartPolicy: OnFailure containers: - name: snapshot image: hashicorp/vault:1.16.2 imagePullPolicy: IfNotPresent command: - /bin/ash args: - -ec - | apk add --no-cache jq; export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap; cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap; envFrom: - secretRef: name: vault-snapshot-agent-token env: - name: VAULT_ADDR value: http://vault-active.vault.svc.cluster.local:8200 volumeMounts: - mountPath: /opt/backup name: backup - name: upload image: amazon/aws-cli:2.15.42 imagePullPolicy: IfNotPresent command: - /bin/sh args: - -ec - | until [ -f /opt/backup/vault-snapshot-s3.snap ]; do sleep 5; done; aws s3 cp /opt/backup/vault-snapshot-s3.snap s3://cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; rm /opt/backup/vault-snapshot-s3.snap; envFrom: - secretRef: name: vault-snapshot-s3 volumeMounts: - mountPath: /opt/backup name: backup volumes: - name: backup persistentVolumeClaim: claimName: vault-nfs-storage-backup