Feature: rstuf state backups
fridex opened this issue · comments
What is the feature about?
We would like to make sure the state of rstuf is preserved and eventually have a way to restore/replicate rstuf state to a testing environment. Is there a preferred way on how to perform backups of an rstuf deployment? Thanks!
Services it relates to
repository-service-for-tuf
Related tasks
References
No response
Code of Conduct
- I agree to follow this project's Code of Conduct
Hi @fridex,
Thank you for the issue. We can improve our documentation for Repository Service for TUF (RSTUF) administrators.
The RSTUF Worker has the core data of RSTUF, the TUF Metadata.
The current RSTUF Worker uses the RSTUF_STORAGE_BACKEND
; At the moment, it supports only LocalStorage
type, which is a container volume. Backup the content of this volume (JSON files), saving a copy of the JSON files.
We are working also to support AWSS3
type, which uses the AWS S3 objects, and in this case, is required to backup it using the AWS options.
RSTUF Worker uses the private online key as read-only RSTUF_KEYVAULT_BACKEND
. Currently, we support only LocalKeyVault
type. Backup the content of this volume, saving a copy of the key.
The RSTUF Worker also uses a Postgres database to support high-traffic repositories, configured at the RSTUF_SQL_SERVER
variable. This database also needs a backup. The backup strategy depends on how you deploy the Postgres.
The RSTUF Worker and API also use the Redis services. It is required to backup the repository settings database id, also defined RSTUF_REDIS_SERVER
and by default id 1
, or customized id RSTUF_REDIS_SERVER_DB_REPO_SETTINGS
Note: The message queue RSTUF_BROKER_SERVER
and backend result RSTUF_REDIS_SERVER
(default db id 1
or custom id by RSTUF_REDIS_SERVER_DB_REPO_RESULT
) for tasks are not required data for RSTUF. In some integration cases, you might want this information as well.
Note: RSTUF API only requires backup if you use the RSTUF API built-in authentication/authorization, which we do not advise using. Instead, we recommend using an API Gateway service/server to implement your authentication/authorization for the API requests.
If still, you're using it. Backuping your RSTUF API mapped to the RSTUF_DATA
.
To summarize:
- Backup the TUF Metadata stored in
RSTUF_STORAGE_BACKEND
- Backup the Private Online Key in the
RSTUF_KEYVAULT_BACKEND
- Backup the Postgres RSTUF Database
RSTUF_SQL_SERVER
- Backup the Redis databases
RSTUF_REDIS_SERVER
Feature-wise, creating a restore mechanism for RSTUF from the TUF Metadata would also be possible. It will require some tests and investigation, but it could also be a simple strategy.
Thanks Kairo, this is definitely helpful. It looks like there are needed some lower level operations to make this happen. If there would be a native support for this feature that would be great. Thanks again!
I filed an issue to continue the idea as a feature. 😄
Thanks, @fridex, for bringing it up.