trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/maintenance/backups/index.md

124 lines
3.4 KiB
Markdown
Raw Blame History

---
title: Backup and restore
---
:::warning
Local backups are only supported for docker-compose installs. If you want to backup a Kubernetes instance locally, use an S3-compatible server such as [minio](https://min.io/)
:::
### Backup
:::note
Local backups are **enabled** by default, and will be run daily at 00:00
:::
Local backups can be created by running the following command in your authentik installation directory
```
docker-compose run --rm worker backup
# Or for kubernetes
kubectl exec -it deployment/authentik-worker -c authentik -- ak backup
```
This will dump the current database into the `./backups` folder. By defaults, the last 10 Backups are kept.
### Restore
:::warning
Currently, it is only supported to restore backups into the same version they have been taken from. Different versions *might* work, but this is not guaranteed.
Instead, install the version the backup was taken with, restore the backup and then upgrade.
:::
:::info
The restore command expects to have superuser-permissions on the PostgreSQL instance. To get a clean restore, it deletes the current database, re-creates it and then imports the data.
:::
Run this command in your authentik installation directory.
To see all available backups, run
```
docker-compose run --rm worker listbackups
# Or for kubernetes
kubectl exec -it deployment/authentik-worker -c authentik -- ak listbackups
```
Then, to restore, run
```
docker-compose run --rm worker restore default-2020-10-03-115557.psql
# Or for kubernetes
kubectl exec -it deployment/authentik-worker -c authentik -- ak restore default-2020-10-03-115557.psql
```
After you've restored the backup, it is recommended to restart all services with `docker-compose restart` or `kubectl rollout restart deployment --all`.
### S3 Configuration
#### Preparation
authentik expects the bucket you select to already exist. The IAM User given to authentik should have the following permissions
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Principal": {
"AWS": "arn:aws:iam::example-AWS-account-ID:user/example-user-name"
},
"Resource": [
"arn:aws:s3:::example-bucket-name/*",
"arn:aws:s3:::example-bucket-name"
]
}
]
}
```
#### docker-compose
Set the following values in your `.env` file.
```
AUTHENTIK_POSTGRESQL__S3_BACKUP__ACCESS_KEY=
AUTHENTIK_POSTGRESQL__S3_BACKUP__SECRET_KEY=
AUTHENTIK_POSTGRESQL__S3_BACKUP__BUCKET=
AUTHENTIK_POSTGRESQL__S3_BACKUP__REGION=
```
If you want to backup to an S3-compatible server, like [minio](https://min.io/), use this setting:
```
AUTHENTIK_POSTGRESQL__S3_BACKUP__HOST=http://play.min.io
```
#### Kubernetes
Simply enable these options in your values.yaml file
```yaml
# Enable Database Backups to S3
authentik:
postgresql:
s3_backup:
bucket: "authentik-backup"
access_key: foo
secret_key: bar
region: eu-central-1
# Optional S3 host
# host: "https://backup-s3.beryju.org"
```
Afterwards, run a `helm upgrade` to update the ConfigMap. Backups are done automatically as above, at 00:00 every day.
Reference in New Issue View Git Blame Copy Permalink