Feature: rstuf state backups

Question

Feature: rstuf state backups

fridex opened this issue a year ago · comments

What is the feature about?

We would like to make sure the state of rstuf is preserved and eventually have a way to restore/replicate rstuf state to a testing environment. Is there a preferred way on how to perform backups of an rstuf deployment? Thanks!

Services it relates to

repository-service-for-tuf

Related tasks

#402

References

No response

Code of Conduct

I agree to follow this project's Code of Conduct

Kairo Araujo · Answer 1 · Tue Aug 22 2023 14:12:18 GMT+0800 (China Standard Time)

Hi @fridex,

Thank you for the issue. We can improve our documentation for Repository Service for TUF (RSTUF) administrators.

The RSTUF Worker has the core data of RSTUF, the TUF Metadata.
The current RSTUF Worker uses the RSTUF_STORAGE_BACKEND; At the moment, it supports only LocalStorage type, which is a container volume. Backup the content of this volume (JSON files), saving a copy of the JSON files.

We are working also to support AWSS3 type, which uses the AWS S3 objects, and in this case, is required to backup it using the AWS options.

RSTUF Worker uses the private online key as read-only RSTUF_KEYVAULT_BACKEND. Currently, we support only LocalKeyVault type. Backup the content of this volume, saving a copy of the key.

The RSTUF Worker also uses a Postgres database to support high-traffic repositories, configured at the RSTUF_SQL_SERVER variable. This database also needs a backup. The backup strategy depends on how you deploy the Postgres.

The RSTUF Worker and API also use the Redis services. It is required to backup the repository settings database id, also defined RSTUF_REDIS_SERVER and by default id 1, or customized id RSTUF_REDIS_SERVER_DB_REPO_SETTINGS

Note: The message queue RSTUF_BROKER_SERVER and backend result RSTUF_REDIS_SERVER (default db id 1 or custom id by RSTUF_REDIS_SERVER_DB_REPO_RESULT) for tasks are not required data for RSTUF. In some integration cases, you might want this information as well.

Note: RSTUF API only requires backup if you use the RSTUF API built-in authentication/authorization, which we do not advise using. Instead, we recommend using an API Gateway service/server to implement your authentication/authorization for the API requests.
If still, you're using it. Backuping your RSTUF API mapped to the RSTUF_DATA.

To summarize:

Backup the TUF Metadata stored in RSTUF_STORAGE_BACKEND
Backup the Private Online Key in the RSTUF_KEYVAULT_BACKEND
Backup the Postgres RSTUF Database RSTUF_SQL_SERVER
Backup the Redis databases RSTUF_REDIS_SERVER

Feature-wise, creating a restore mechanism for RSTUF from the TUF Metadata would also be possible. It will require some tests and investigation, but it could also be a simple strategy.

Fridolín Pokorný · Answer 2 · Tue Aug 22 2023 15:23:05 GMT+0800 (China Standard Time)

Thanks Kairo, this is definitely helpful. It looks like there are needed some lower level operations to make this happen. If there would be a native support for this feature that would be great. Thanks again!

Kairo Araujo · Answer 3 · Wed Aug 23 2023 04:38:01 GMT+0800 (China Standard Time)

I filed an issue to continue the idea as a feature. 😄
Thanks, @fridex, for bringing it up.