Database backup recommendations for Supply Chain Security Tools - Store

This topic tells you about database backup recommendations for Supply Chain Security Tools (SCST) - Store.

By default, the metadata store uses a PersistentVolume mounted on a PostgreSQL instance, making it a stateful component of Tanzu Application Platform. VMware recommends implementing a regular backup strategy as part of your disaster recovery plan when using the provided PostgreSQL instance.

Backup

You can use Velero to create regular backups.

Note

Backup support for PersistentVolume depends on the used StorageClass and existing provider plug-ins. See the officially supported plug-ins here.

velero install --provider PROVIDER --bucket BUCKET-NAME --plugins PLUGIN-IMAGE-LOCATION \
--secret-file SECRET-FILE

Where:

  • PROVIDER is the name of the provider you want to use.
  • BUCKET-NAME is the name of the bucket you want to use.
  • PLUGIN-IMAGE-LOCATION is the location of the plug ins you want to use.
  • SECRET-FILE is the file where the secret is located.

Velero CLI can then be used to create a backup of all the resources in the metadata-store namespace, including PersistentVolumeClaim and PersistentVolume.

velero backup create metadata-store-$(date '+%s') --include-namespaces=metadata-store

Restore

You can use Velero CLI to restore the Store in the same cluster or a different cluster.

You can use the same namespace for the restore, but there is a risk of collision with other SCST – Store installations. Furthermore, Tanzu Application Platform does not manage a restored SCST - Store instance within the same namespace, which can cause conflicts with future installations.

To restore the Store, run:

velero restore create restore-metadata-store-$timestamp --from-backup metadata-store-$timestamp \
--namespace-mappings metadata-store:metadata-store

Alternatively, a different namespace can be used to restore SCST – Store. In this case, SCST – Store API is not available because of conflicting definitions in the role-based access control (RBAC) proxy configuration. These conflicting definitions cause all requests to fail with an Unauthorized error.

In this scenario, the PostgreSQL instance is still accessible, and tools such as pg_dump can be used to retrieve table contents and restore in a new live installation of SCST – Store.

To restore the Store, run:

velero restore create restore-metadata-store-$timestamp --from-backup metadata-store-$timestamp \
--namespace-mappings metadata-store:restored-metadata-store

Currently, mounting an existing PersistentVolume or PersistentVolumeClaim during installation is not supported.

The minimum suggested resources for backups are PersistentVolume, PersistentVolumeClaim and Secret. The database password Secret is needed to set up a PostgreSQL instance with the correct password to properly read data from the restored volume.

check-circle-line exclamation-circle-line close-line
Scroll to top icon