Skip to main content

Backup & Restore IDHub

info

If you are IDHub Cloud customer, then you can do the backup and restoration of your tenant data using your account management dashboard. Click Here to learn more

Scope of Backup & Restore

The scope of this document would discuss the detailed steps of Backup and restore process of IDHub tenant data. The backup will be created in such a way that tenant database can be backed up and restored one tenant at a time.

Full Cluster Backups & Restore

Depending on the cloud provider, we have provided some reference links below for full cluster backups and restore.

For other cloud providers, please consult your provider's documentation.

Pre-Requisites

You will need Tenant Admin Secret before you can start the process of backup and restore of your IDHub tenant data. In order to access the Tenant Admin Secret, you would need to re-enable the vault root token, since IDHub disabled the vault root token by default, post installation of IDHub in your cluster. You need to follow the detailed steps (as described below) and run the commands in each step in your terminal to get the tenant admin secret.

Get Tenant Admin Secret

Get you Unseal Key

kubectl get -n [NAMESPACE] secret vault-unseal-key -o jsonpath="{.data.key}" | base64 --decode
Replace

[NAMESPACE] with your namespace.

Get OTP which will be used to de-code the resulting root token.

kubectl exec -it -n [NAMESPACE] [NAMESPACE]-vault-0 -- sh
vault operator generate-root -init
Replace

[NAMESPACE] with your namespace.

tip

After running the above, an OTP will be generated. Copy and keep that somewhere safe.

Get encoded token

vault operator generate-root
tip

This will ask for your unseal key. Copy and paste that here (which you generated in the previous step) and then you will get the encoded token.

Generate Vault Root Token

vault operator generate-root \
   -decode=[ENCODED_TOKEN] \
   -otp=[OTP]
Replace
  • [ENCODED_TOKEN] with the token that you have got from the previous step.
  • [OTP] with the OTP that you have generated from the previous step.

Login to Vault

Login to vault using the root token, run the following command:

vault login [ROOT_TOKEN]
Replace
  • [ROOT_TOKEN] with the root token that you have got from the previous step.

Get the Tenant Admin Secret

vault kv get -mount=secret idhub/tenants-admin

Get Base64 value of Tenant Admin Secret

As the last step, you need to convert the tenant admin secret in the BASE64 format using the following command, which will be used below.

echo -n ":[TENANT_ADMIN_SECRET]" | base64
Replace
  • [TENANT_ADMIN_SECRET] with the Tenant Admin Secret that you have generated in the previous step.

Back-up a specific tenant

  • Use the following cURL command to call the tenant management backup API from any terminal:
curl --location --request POST 'https://[FQDN]/api/tenant-management/admin/backup' \ 
--header 'Authorization: Basic [TENANT_ADMIN_SECRET_BASE64]' \ 
--header 'Content-Type: application/json' \
--data-raw '{
    "tenantName": "[KEYCLOAK_REALM]"
}'
Replace
  • [FQDN] with your IDHub URL.
  • [TENANT_ADMIN_SECRET_BASE64] See Pre-requisites above.
  • [KEYCLOAK_REALM] with Keycloak realm name. e.g. alpha, alphainc, etc.
tip

A compressed archive with a time stamp will be created in /apps/idhub/backups/ directory in IDHub server. This archive can be used to restore the tenant in the future.

List all the backups

  • Use the following cURL command from any terminal:
curl --location --request GET 'https://[FQDN]/api/tenant-management/admin/backups' \ 
--header 'Authorization: Basic [TENANT_ADMIN_SECRET_BASE64]'
Replace
  • [FQDN] with IDHub URL.
  • [TENANT_ADMIN_SECRET_BASE64] See Pre-requisites above.

Restore a specific tenant

  • Use the following cURL command to call the tenant management restore API from any terminal:
curl --location --request POST 'https://[FQDN]/api/tenant-management/admin/restore' \
--header 'Authorization: Basic [TENANT_ADMIN_SECRET_BASE64]' \
--header 'Content-Type: application/json' \
--data-raw '{
    "fileName": "[ARCHIVE_NAME]"
}'
Replace
  • [FQDN] with IDHub URL.
  • [TENANT_ADMIN_SECRET_BASE64] See Pre-requisites above.
  • [ARCHIVE_NAME] with the name of the archive. e.g. alpha-2022-12-17T04:26:39.078Z.tar.gz

Delete a backup

  • Use the following cURL command to delete a backup from /apps/idhub/backups/ directory from IDHub server:
curl --location --request POST 'https://[FQDN]/api/tenant-management/admin/backups/delete' \ 
--header 'Authorization: Basic [TENANT_ADMIN_SECRET_BASE64]' \ 
--header 'Content-Type: application/json' \
--data-raw '{
    "fileName": "[ARCHIVE_NAME]"
}'
Replace
  • [FQDN] with IDHub URL.
  • [TENANT_ADMIN_SECRET_BASE64] See Pre-requisites above.
  • [ARCHIVE_NAME] with the name of the archive. e.g. alpha-2022-12-17T04:26:39.078Z.tar.gz