Platform Application Components Upversion - Vault

Updated Patchset 5 comments Updated Patchset 4 comments Updated Patchset 3 comments Story: 2011073 Task: 50155 Change-Id: Id3bf0b1f06020f84f6fe384c5c7f5d05626e409d Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
2024-09-05 21:00:20 +00:00 · 2024-09-05 21:00:20 +00:00 · ea14dcf605
commit ea14dcf605
parent df3788d0b3
8 changed files with 272 additions and 15 deletions
--- a/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst
+++ b/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst
@ -32,7 +32,9 @@ Contents of System Backup

 .. _backing-up-starlingx-system-data-ul-s3t-bz4-kjb:

-The following content is included in the backup:
+The following content is included in the backup list:
+
+- Hashicorp Vault contents (when ``backup_hc_vault`` ansible option is selected)

 - All platform configuration data required to fully restore the system to a
  working state following the platform restore procedure.
@ -76,6 +78,9 @@ System Backup Size

 Consider the following for backup size:

+- The size of the backup for the Vault application depends on the amount of data
+  stored in the Vault.
+
 - The base size of a platform system backup sizes range from 10MB to 30MB,
  depending on the size of the system and deployment. |AIO-SX| systems are
  typically 20MB or less.
--- a/doc/source/backup/kubernetes/index-backup-kub-699e0d16c076.rst
+++ b/doc/source/backup/kubernetes/index-backup-kub-699e0d16c076.rst
@ -22,7 +22,9 @@ System and storage restore

   restoring-starlingx-system-data-and-storage
   running-restore-playbook-locally-on-the-controller
+   run-hashicorp-vault-restore-playbook-locally-on-the-controller-10daacd4abdc
   system-backup-running-ansible-restore-playbook-remotely
+   run-hashicorp-vault-restore-playbook-remotely-436250ea3ed7
   node-replacement-for-aiominussx-using-optimized-backup-and-restore-6603c650c80d


--- a/doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst
+++ b/doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst
@ -83,6 +83,9 @@ conditions are in place:
    accessible remotely, if restore is done by running Ansible Restore playbook
    remotely.

+-   If ``backup encryption`` is enabled during platform backup, you have the
+    encryption passphrase needed to decrypt the archive file.
+
 -   You have the original |prod| ISO installation image available on a USB
    flash drive. It is mandatory that you use the exact same version of the
    software used during the original installation, otherwise the restore
@ -395,6 +398,14 @@ conditions are in place:
            $ system application-upload |prefix|-openstack-20.12-0.tgz
            $ system application-apply |prefix|-openstack

+#. If Hashicorp Vault data was also backed up, it can be restored using the
+   vault_restore playbook. For more information on Hashicorp Vault restore
+   see:
+
+   -  :ref:`Run Hashicorp Vault Restore Playbook Locally on the Controller <run-hashicorp-vault-restore-playbook-locally-on-the-controller-10daacd4abdc>`
+
+   -  :ref:`Run Hashicorp Vault Restore Playbook Remotely <run-hashicorp-vault-restore-playbook-remotely-436250ea3ed7>`.
+
 #. Run the :command:`system restore-complete` command.

   .. code-block:: none
--- a/doc/source/backup/kubernetes/run-hashicorp-vault-restore-playbook-locally-on-the-controller-10daacd4abdc.rst
+++ b/doc/source/backup/kubernetes/run-hashicorp-vault-restore-playbook-locally-on-the-controller-10daacd4abdc.rst
@ -0,0 +1,77 @@
+.. WARNING: Add no lines of text between the label immediately following
+.. and the title.
+
+.. _run-hashicorp-vault-restore-playbook-locally-on-the-controller-10daacd4abdc:
+
+==============================================================
+Run Hashicorp Vault Restore Playbook Locally on the Controller
+==============================================================
+
+Similar to platform restore, Hashicorp Vault restore backup files must be on
+the active controller.
+
+You can use an external storage device, for example, a USB drive. Use the
+following command to run the Hashicorp Vault Restore playbook:
+
+.. code-block:: none
+
+    ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/vault_restore.yml -e "initial_backup_dir=<location_of_tarball> backup_filename=<backup_filename> on_box_data=<true/false>"
+
+Below you can find other ``-e`` command line options:
+
+**Common**
+
+``-e "initial_backup_dir=/home/sysadmin"``
+    Where the backup .tgz files are located on the box.
+
+``-e backup_filename=localhost_hc_vault_backup.tgz``
+    The basename of the platform backup tgz. The full path will be a
+    combination ``{{initial_backup_dir}/{backup_filename}}}``
+
+``-e backup_encryption_enabled=false``
+    If ``backup encryption`` is selected during platform backup, then this option
+    is also required when you run the Vault restore procedure. The archive file
+    of Vault backup contains metadata which indicates whether the snapshot was
+    encrypted with a user supplied passphrase, for example:
+
+    .. code-block:: none
+
+        [sysadmin@controller-0 ~(keystone_admin)]$ VAULT_ARCHIVE=/opt/platform-backup/localhost_hc_vault_backup_2024_07_17_18_00_24.tgz
+
+        [sysadmin@controller-0 ~(keystone_admin)]$ METAF="$( tar tf $VAULT_ARCHIVE | grep "tar.metadata$" )"
+
+        [sysadmin@controller-0 ~(keystone_admin)]$ tar xf "$VAULT_ARCHIVE" -O "$METAF" | jsonpath.py 'user_encrypted'
+
+    Select the ``backup_encryption_enabled`` option if user_encrypted is 'true'
+    in the metadata.
+
+``-e backup_encryption_passphrase=<encryption_password>``
+    When ``backup_encryption_enabled`` is set to true, then the
+    ``backup_encryption_passphrase`` option is also required. Consider using
+    ansible-vault to store and specify passwords.
+
+(Optional): You can set these options to specify the backup file location:
+
+-  To define a convenient place to store the backup files, defined by
+   ``initial-backup_dir``, on the system (such as the home folder for sysadmin,
+   or /tmp, or even a mounted USB device), use the ``on_box_data=true/false``
+   parameter.
+
+   If this parameter is set to true, Hashicorp Vault playbook will look
+   for the backup file provided on the target server. The parameter
+   ``initial_backup_dir`` can be omitted from the command line. In this
+   case, the backup file will be under ``/opt/platform-backup`` directory.
+
+   If this parameter is set to false, the Hashicorp Vault playbook will
+   look for backup files provided on the Ansible controller. In this
+   case, both the ``initial_backup_dir`` and ``backup_filename`` must be
+   specified in the command.
+
+    Example of a backup file in ``/home/sysadmin``:
+
+    .. code-block:: none
+
+        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/vault_restore.yml -e "initial_backup_dir=/home/sysadmin backup_filename=localhost_hc_vault_backup_2020_07_27_07_48_48.tgz"
+
+
+
--- a/doc/source/backup/kubernetes/run-hashicorp-vault-restore-playbook-remotely-436250ea3ed7.rst
+++ b/doc/source/backup/kubernetes/run-hashicorp-vault-restore-playbook-remotely-436250ea3ed7.rst
@ -0,0 +1,114 @@
+.. WARNING: Add no lines of text between the label immediately following
+.. and the title.
+
+.. _run-hashicorp-vault-restore-playbook-remotely-436250ea3ed7:
+
+=============================================
+Run Hashicorp Vault Restore Playbook Remotely
+=============================================
+
+In this method you can run Ansible Hashicorp Vault playbook and point to controller-0.
+
+.. rubric:: |prereq|
+
+.. _system-backup-running-ansible-restore-playbook-remotely-ul-ylm-g44-bkb:
+
+-   It is recommended that you have Ansible version 2.7.5 or higher installed
+    on your remote workstation. Copy the Ansible Backup/Restore playbooks
+    from directory ``/usr/share/ansible/stx-ansible/playbooks/``.
+
+-   Your network has IPv6 connectivity before running Ansible Playbook, if
+    the system configuration is IPv6.
+
+.. rubric:: |proc|
+
+.. _system-backup-running-ansible-restore-playbook-remotely-steps-sgp-jjc-ljb:
+
+#.  Log in to the remote workstation.
+
+    You can log in directly on the console or remotely using :command:`ssh`.
+
+#.  Provide an inventory file, either a customized one that is specified
+    using the ``-i`` option, or the default one that is in the Ansible
+    configuration directory (that is, /etc/ansible/hosts). You must
+    specify the floating |OAM| IP of the controller host. For example, if the
+    host name is |prefix|\_Cluster, the inventory file should have an entry
+    called |prefix|\_Cluster.
+
+    .. parsed-literal::
+
+        ---
+        all:
+          hosts:
+            wc68:
+              ansible_host: 128.222.100.02
+            |prefix|\_Cluster:
+              ansible_host: 128.224.141.74
+
+#.  Run the Ansible Hashicorp Vault playbook.
+
+    .. code-block:: none
+
+        ~(keystone_admin)]$ ansible-playbook path-to-hashicorp-vault-restore-playbook-entry-file --limit host-name -i inventory-file -e optional-extra-vars
+
+    where ``optional-extra-vars`` can be:
+
+    -   To set a convenient place to store the backup files defined by
+        initial-backup_dir on the system (such as the home folder for sysadmin,
+        or /tmp, or even a mounted USB device), use the following parameter:
+
+        .. code-block::
+
+           on_box_data=true/false
+
+        If this parameter is set to true, Ansible Hashicorp Vault playbook will look
+        for the backup file provided on the target server. The parameter
+        ``initial_backup_dir`` can be omitted from the command line. In this
+        case, the backup file will be under ``/opt/platform-backup`` directory.
+
+        If this parameter is set to false, the Ansible Hashicorp Vault playbook will
+        look for a backup file provided on the Ansible controller. In this
+        case, both the ``initial_backup_dir`` and ``backup_filename`` must be
+        specified in the command.
+
+    -   ``backup_filename`` is the platform backup tar file. It must be
+        provided using the ``-e`` option on the command line, for example:
+
+        .. code-block:: none
+
+           -e backup_filename= localhost_hc_vault_backup_2019_07_15_14_46_37.tgz
+
+    -   The ``initial_backup_dir`` is the location where the platform backup
+        tar file is placed to restore the platform. It must be provided using
+        ``-e`` option on the command line.
+
+        .. note::
+
+            When ``on_box_data=false``, ``initial_backup_dir`` must be defined.
+
+    -   The :command:`admin_password`, :command:`ansible_become_pass`,
+        and :command:`ansible_ssh_pass` need to be set correctly using
+        the ``-e`` option on the command line or in the Ansible secret file.
+        :command:`ansible_ssh_pass` is the password to the sysadmin user
+        on controller-0.
+
+    -   If ``backup encryption`` was enabled when the Vault backup was taken
+        then the options ``backup_encryption_enabled=true`` and
+        ``backup_encryption_passphrase="<encryption_password>`` are also
+        required when restoring the Vault snapshot. Consider storing the
+        ``backup_encryption_passphrase`` in the Ansible secret file.
+
+        The archive file of the Vault backup contains metadata which indicates
+        whether the snapshot was encrypted with user supplied passphrase,
+        for example:
+
+        .. code-block:: none
+
+            [sysadmin@controller-0 ~(keystone_admin)]$ VAULT_ARCHIVE=/opt/platform-backup/localhost_hc_vault_backup_2024_07_17_18_00_24.tgz
+
+            [sysadmin@controller-0 ~(keystone_admin)]$ METAF="$( tar tf $VAULT_ARCHIVE | grep "tar.metadata$" )"
+
+            [sysadmin@controller-0 ~(keystone_admin)]$ tar xf "$VAULT_ARCHIVE" -O "$METAF" | jsonpath.py 'user_encrypted'
+
+        Select the ``backup_encryption_enabled`` option if ``user_encrypted``
+        is 'true' in the metadata.
--- a/doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst
+++ b/doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst
@ -56,7 +56,7 @@ Following are the ``-e`` command line options:
    Used in conjunction with optimized restore. This will create a backup of
    ``registry.local``. The file generated by this flag will be named according to the
    pattern ``<inventory_hostname>_image_registry_backup_<timestamp>.tgz``.
-  
+
 **Common**

 ``-e backup_dir=/opt/backups``
@ -66,9 +66,31 @@ Following are the ``-e`` command line options:
    When set to true, the backup playbook is allowed to be run on an unhealthy
    system. This is needed in some extreme cases.

-    .. warning::
+.. warning::

-        Restoring a backup from an unhealthy system will lead to undefined behavior and/or failure.
+    Restoring a backup from an unhealthy system will lead to undefined behavior
+    and/or failure.
+
+
+``-e backup_encryption_enabled=false``
+    When set to true, the platform backup file and Hashicorp Vault backup will
+    be encrypted. When this option is true then ``backup_encryption_passphrase``
+    is also requierd. The platform backup file will have a ".gpg" extension when
+    encrypted. The Hashicorp Vault snapshot is encrypted before it is written
+    to disk, so that the backup file remains a tar file.
+
+``-e backup_encryption_passphrase=<encryption_password>``
+    When ``backup_encryption_enabled`` is set to true, then the
+    ``backup_encryption_passphrase`` option is also required.
+
+.. note::
+
+    It is also recommended to put the ``backup_encryption_passphrase`` into
+    ansible-vault.
+
+``-e backup_hc_vault=false``
+    When set to true, the backup playbook will also backup the Hashicorp Vault
+    application, if the application is applied in the system.

 To exclude a directory and all the files in it like ``/var/home*`` you can use
 the optional parameter ``-e "exclude_dirs=/var/home/**,/var/home"``.
@ -109,6 +131,7 @@ command if the file needs to be edited after it is created.
   admin_password: "<admin_password>"
   backup_registry_filesystem: "true"
   exclude_dirs: /var/home/**,/var/home"
+   backup_encryption_passphrase: "<encryption_password>"
   ...
   EOF

@ -130,15 +153,17 @@ system configuration.

 .. _running-ansible-backup-playbook-locally-on-the-controller-ul-wj1-vxh-pmb:

-   ``inventory_hostname_platform_backup_timestamp.tgz``
+-   inventory_hostname_platform_backup_timestamp.tgz

-   ``inventory_hostname_wr-openstack_backup_timestamp.tgz``
+-   inventory_hostname_wr-openstack_backup_timestamp.tgz

-   ``inventory_hostname_user_images_backup_timestamp.tgz``
+-   inventory_hostname_user_images_backup_timestamp.tgz

-   ``inventory_hostname_dc_vault_backup_timestamp.tgz``
+-   inventory_hostname_dc_vault_backup_timestamp.tgz

-   ``inventory_hostname_image_registry_backup_timestamp.tgz``
+-   inventory_hostname_image_registry_backup_timestamp.tgz
+
+-   inventory_hostname_hc_vault_backup_timestamp.tgz

 The output files' prefixes can be overridden with the following variables
 using the ``-e`` option on the command line or by using an override file.
@ -157,20 +182,27 @@ using the ``-e`` option on the command line or by using an override file.

 -   registry_filesystem_backup_filename_prefix

+-   hc_vault_backup_filename_prefix
+
 The generated backup tar files will be displayed in the following format, when
 custom prefixes are not specified, for example:

 .. _running-ansible-backup-playbook-locally-on-the-controller-ul-p3b-f13-pmb:

-   ``localhost_docker_local_registry_backup_2020_07_15_21_24_22.tgz``
+-   localhost_docker_local_registry_backup_2024_07_15_21_24_22.tgz

-   ``localhost_platform_backup_2020_07_15_21_24_22.tgz``
+-   localhost_platform_backup_2024_07_15_21_24_22.tgz

-   ``localhost_openstack_backup_2020_07_15_21_24_22.tgz``
+-   localhost_openstack_backup_2024_07_15_21_24_22.tgz

-   ``localhost_dc_vault_backup_2020_07_15_21_24_22.tgz``
+-   localhost_dc_vault_backup_2024_07_15_21_24_22.tgz

-   ``localhost_image_registry_backup_2020_07_15_21_24_22.tgz``
+-   localhost_image_registry_backup_2024_07_15_21_24_22.tgz
+
+-   localhost_hc_vault_backup_2024_07_15_21_24_22.tgz
+
+When encryption is enabled, the platform backup file will have a ".gpg" extension,
+for example, "localhost_platform_backup_2024_07_15_21_24_22.tgz.gpg"

 These files are located by default in the ``/opt/backups`` directory on
 controller-0, and contains the complete system backup.
--- a/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst
+++ b/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst
@ -44,6 +44,16 @@ Below you can find other ``-e`` command line options:
    The basename of the platform backup tgz.  The full path will be a
    combination ``{initial_backup_dir}/{backup_filename}``

+``-e backup_encryption_enabled=false``
+    If ``backup encryption`` is selected during platform backup, then this option
+    is also required when you run the platform restore procedure. Select this
+    option if the platform backup archive file includes the '.gpg' extension.
+
+``-e backup_encryption_passphrase=<encryption_password>``
+    When ``backup_encryption_enabled`` is set to true, then the
+    ``backup_encryption_passphrase`` option is also required. Consider using
+    ansible-vault to store and specify passwords.
+
 .. _running-restore-playbook-locally-on-the-controller-steps-usl-2c3-pmb:

 (Optional): You can select one of the following restore modes:
--- a/doc/source/backup/kubernetes/system-backup-running-ansible-restore-playbook-remotely.rst
+++ b/doc/source/backup/kubernetes/system-backup-running-ansible-restore-playbook-remotely.rst
@ -71,7 +71,7 @@ In this method you can run Ansible Restore playbook and point to controller-0.

           wipe_ceph_osds=true

-    -   To set a convinient place to store the backup files defined by
+    -   To set a convenient place to store the backup files defined by
        ``initial-backup_dir`` on the system (such as the home folder for
        sysadmin, or /tmp, or even a mounted USB device), use the following
        parameter:
@ -111,6 +111,12 @@ In this method you can run Ansible Restore playbook and point to controller-0.
        :command:`ansible_ssh_pass` is the password to the sysadmin user
        on controller-0.

+    -   If ``backup encryption`` was enabled during a platform backup then the
+        options ``backup_encryption_enabled=true`` and
+        ``backup_encryption_passphrase="<encryption_password>"`` are also
+        required when restoring the platform. Consider storing the
+        ``backup_encryption_passphrase`` in the Ansible secret file.
+
    -   The :command:`ansible_remote_tmp` should be set to a new directory (not
        required to create it ahead of time) under ``/home/sysadmin`` on
        controller-0 using the ``-e`` option on the command line.