Database backup recommendations

By default, the metadata store uses a PersistentVolume mounted on a Postgres instance, making it a stateful component of Tanzu Application Platform. VMware recommends implementing a regular backup strategy as part of your disaster recovery plan when using the provided Postgres instance.

Backup

You can use Velero to create regular backups.

Note: Backup support for PersistentVolume depends on the used StorageClass and existing provider plug-ins is the noun or adjective. See the officially supported plugins here.

velero install --provider <provider> --bucket <bucket-name> --plugins <plugin-image-location> --secret-file <secrets-file>

For example:

velero install --provider gcp --bucket <gcs-bucket-name> --plugins velero/velero-plugin-for-gcp:v1.3.0 --secret-file <gcp-json-credentials>

Velero CLI can then be used to create a backup of all the resources in the metadata-store namespace, including PersistentVolumeClaim and PersistentVolume.

velero backup create metadata-store-$(date '+%s') --include-namespaces=metadata-store

Restore

Velero CLI can restore the Store in the same or a different cluster. The same namespace can be used to restore, but may collide with other Supply Chain Security Tools – Store installations. Furthermore, restoring into the same namespace restores a fully functional instance of Supply Chain Security Tools – Store; however, this instance is not managed by Tanzu Application Platform and can cause conflicts with future installations.

velero restore create restore-metadata-store-$timestamp --from-backup metadata-store-$timestamp --namespace-mappings metadata-store:metadata-store

Alternatively, a different namespace can be used to restore Supply Chain Security Tools – Store. In this case, Supply Chain Security Tools – Store API is not available due to conflicting definitions in the RBAC proxy configuration, causing all requests to fail with an Unauthorized error. In this scenario, the postgres instance is still accessible, and tools such as pg_dump can be used to retrieve table contents and restore in a new live installation of Supply Chain Security Tools – Store.

velero restore create restore-metadata-store-$timestamp --from-backup metadata-store-$timestamp --namespace-mappings metadata-store:restored-metadata-store

Currently, mounting an existing PersistentVolume or PersistentVolumeClaim during installation is not supported.

The minimum suggested resources for backups are PersistentVolume, PersistentVolumeClaim and Secret. The database password Secret is needed to set up a Postgres instance with the correct password to properly read data from the restored volume.

check-circle-line exclamation-circle-line close-line
Scroll to top icon