Automatic backups of HashiCorp Vault
Note
This guide refers to the Vault cluster that can be deployed with Tarook through yk8s.k8s-service-layer.vault.
The instance of Vault used by Tarook to store secrets will be referred to as “secrets backend”.
Tarook uses the vaultbackup Helm chart maintained by Yaook
for periodically backing up HashiCorp Vault to a S3 bucket.
Automatic backups of HashiCorp Vault can be enabled with the yk8s.k8s-service-layer.vault.enable_backups configuration option. Location of and credentials for the S3 bucket must be provided through yk8s.k8s-service-layer.vault.backup_s3_bucket and yk8s.k8s-service-layer.vault.s3_config_file.
Prerequisites
yk8s.k8s-service-layer.vault.enabled set to
trueA S3 bucket that is accessible from within your cluster and the credentials for uploading files to that bucket
A Vault root token for storing the bucket credentials in Tarook’s secrets backend
Setup steps
Enable automatic backups in Tarook’s configuration
Set yk8s.k8s-service-layer.vault.enable_backups to
trueConfigure the bucket location and credentials in a file and upload it to the secrets backend
Set yk8s.k8s-service-layer.vault.s3_config_file and create that file relative to
./config/in your cluster repository.See the description of the config option for details on file format and content.
Upload to the secrets backend
$ VAULT_TOKEN=${vault_root_token:?} managed-k8s/tools/vault/update.sh .......... ----------------------------------------------- Trying to import Vault backup config ... .......... Successfully imported Vault S3 object storage configuration into Vault. Removing Vault S3 backup config/vault-backup-bucket.yaml ----------------------------------------------- .......... $
Set yk8s.k8s-service-layer.vault.backup_s3_bucket to your bucket’s name (
vault-backupby default)Rollout the configuration
VAULT_TOKEN=${vault_orchestrator_token:?} \ ./managed-k8s/actions/apply-k8s-supplements.sh install-vault.yaml
Verify backups are working
Trigger a backup run
Run
backup-nowin thebackup-creatorcontainer of the vault-backup Pod.$ vault_namespace="$( \ > ansible-inventory -i inventory/yaook-k8s/ --list --export \ > | jq --raw-output .all.vars.yaook_vault_namespace \ > )" $ vault_backup_pod="$( \ > kubectl get pods \ > --namespace="${vault_namespace:?}" \ > --selector=yaook.cloud/component=vault-backup \ > --output=name \ > | head -1 \ > )" $ kubectl exec \ > --namespace="${vault_namespace:?}" \ > "${vault_backup_pod:?}" \ > --container=backup-creator \ > -- backup-now .......... 2026-03-19 14:32:09,310 - backup_creator - INFO - Running backup job .......... 2026-03-19 14:32:09,657 - backup_creator - INFO - Backup finished .......... $
Verify that backups are uploaded to the S3 bucket
Watch the logs of the
backup-shiftercontainer of the vault-backup Pod. New backups are uploaded automatically.$ kubectl logs \ > --namespace="${vault_namespace:?}" \ > "${vault_backup_pod:?}" \ > --container=backup-shifter \ > --timestamps=true \ > --since=5m .......... 2026-03-19T14:32:10.476553346Z INFO:root:Upload successfull ..........
Test your restore procedure