master
5ce40d2eeb
- Added Program.cs to set up the web application with Serilog for logging, health check endpoints, and a placeholder admission endpoint. - Configured Kestrel server to use TLS 1.3 and handle client certificates appropriately. - Created StellaOps.Zastava.Webhook.csproj with necessary dependencies including Serilog and Polly. - Documented tasks in TASKS.md for the Zastava Webhook project, outlining current work and exit criteria for each task.
6.0 KiB
6.0 KiB
Authority Backup & Restore Runbook
Scope
- Applies to: StellaOps Authority deployments running the official
ops/authority/docker-compose.authority.yamlstack or equivalent Kubernetes packaging. - Artifacts covered: MongoDB (
stellaops-authoritydatabase), Authority configuration (etc/authority.yaml), plugin manifests underetc/authority.plugins/, and signing key material stored in theauthority-keysvolume (defaults to/app/keysinside the container). - Frequency: Run the full procedure prior to upgrades, before rotating keys, and at least once per 24 h in production. Store snapshots in an encrypted, access-controlled vault.
Inventory Checklist
| Component | Location (compose default) | Notes |
|---|---|---|
| Mongo data | mongo-data volume (/var/lib/docker/volumes/.../mongo-data) |
Contains all Authority collections (AuthorityUser, AuthorityClient, AuthorityToken, etc.). |
| Configuration | etc/authority.yaml |
Mounted read-only into the container at /etc/authority.yaml. |
| Plugin manifests | etc/authority.plugins/*.yaml |
Includes standard.yaml with tokenSigning.keyDirectory. |
| Signing keys | authority-keys volume -> /app/keys |
Path is derived from tokenSigning.keyDirectory (defaults to ../keys relative to the manifest). |
TIP: Confirm the deployed key directory via
tokenSigning.keyDirectoryinetc/authority.plugins/standard.yaml; some installations relocate keys to/var/lib/stellaops/authority/keys.
Hot Backup (no downtime)
- Create output directory:
mkdir -p backup/$(date +%Y-%m-%d)on the host. - Dump Mongo:
The
docker compose -f ops/authority/docker-compose.authority.yaml exec mongo \ mongodump --archive=/dump/authority-$(date +%Y%m%dT%H%M%SZ).gz \ --gzip --db stellaops-authority docker compose -f ops/authority/docker-compose.authority.yaml cp \ mongo:/dump/authority-$(date +%Y%m%dT%H%M%SZ).gz backup/mongodumparchive preserves indexes and can be restored withmongorestore --archive --gzip. - Capture configuration + manifests:
cp etc/authority.yaml backup/ rsync -a etc/authority.plugins/ backup/authority.plugins/ - Export signing keys: the compose file maps
authority-keysto a local Docker volume. Snapshot it without stopping the service:docker run --rm \ -v authority-keys:/keys \ -v "$(pwd)/backup:/backup" \ busybox tar czf /backup/authority-keys-$(date +%Y%m%dT%H%M%SZ).tar.gz -C /keys . - Checksum: generate SHA-256 digests for every file and store them alongside the artefacts.
- Encrypt & upload: wrap the backup folder using your secrets management standard (e.g., age, GPG) and upload to the designated offline vault.
Cold Backup (planned downtime)
- Notify stakeholders and drain traffic (CLI clients should refresh tokens afterwards).
- Stop services:
docker compose -f ops/authority/docker-compose.authority.yaml down - Back up volumes directly using
tar:docker run --rm -v mongo-data:/data -v "$(pwd)/backup:/backup" \ busybox tar czf /backup/mongo-data-$(date +%Y%m%d).tar.gz -C /data . docker run --rm -v authority-keys:/keys -v "$(pwd)/backup:/backup" \ busybox tar czf /backup/authority-keys-$(date +%Y%m%d).tar.gz -C /keys . - Copy configuration + manifests as in the hot backup (steps 3–6).
- Restart services and verify health:
docker compose -f ops/authority/docker-compose.authority.yaml up -d curl -fsS http://localhost:8080/ready
Restore Procedure
- Provision clean volumes: remove existing volumes if you’re rebuilding a node (
docker volume rm mongo-data authority-keys), then recreate the compose stack so empty volumes exist. - Restore Mongo:
Use
docker compose exec -T mongo mongorestore --archive --gzip --drop < backup/authority-YYYYMMDDTHHMMSSZ.gz--dropto replace collections; omit if doing a partial restore. - Restore configuration/manifests: copy
authority.yamlandauthority.plugins/*into place before starting the Authority container. - Restore signing keys: untar into the mounted volume:
Ensure file permissions remain
docker run --rm -v authority-keys:/keys -v "$(pwd)/backup:/backup" \ busybox tar xzf /backup/authority-keys-YYYYMMDD.tar.gz -C /keys600for private keys (chmod -R 600). - Start services & validate:
docker compose up -d curl -fsS http://localhost:8080/health - Validate JWKS and tokens: call
/jwksand issue a short-lived token via the CLI to confirm key material matches expectations. If the restored environment requires a fresh signing key, follow the rotation SOP indocs/11_AUTHORITY.mdusingops/authority/key-rotation.shto invoke/internal/signing/rotate.
Disaster Recovery Notes
- Air-gapped replication: replicate archives via the Offline Update Kit transport channels; never attach USB devices without scanning.
- Retention: maintain 30 daily snapshots + 12 monthly archival copies. Rotate encryption keys annually.
- Key compromise: if signing keys are suspected compromised, restore from the latest clean backup, rotate via OPS3 (see
ops/authority/key-rotation.shanddocs/11_AUTHORITY.md), and publish a revocation notice. - Mongo version: keep dump/restore images pinned to the deployment version (compose uses
mongo:7). Driver 3.5.0 requires MongoDB 4.2+—clusters still on 4.0 must be upgraded before restore, and future driver releases will drop 4.0 entirely. citeturn1open1
Verification Checklist
/readyreports all identity providers ready.- OAuth flows issue tokens signed by the restored keys.
PluginRegistrationSummarylogs expected providers on startup.- Revocation manifest export (
dotnet run --project src/StellaOps.Authority) succeeds. - Monitoring dashboards show metrics resuming (see OPS5 deliverables).