Backup and restoration procedure in Kubernetes environment
The backup and restoration is the recommended approach for protecting your OpenIAM deployment against data loss and service disruption. The document outlines how to back up application components, databases, and supporting services, as well as how to restore them in case of failure. Following this procedure ensures business continuity and minimizes downtime during unexpected incidents or planned recovery operations.
Backup and restore process for a single-node Kubernetes cluster tested using an external database (MSSQL and PostgreSQL), and it is working successfully for the following two scenarios:
- Destroy the OpenIAM cluster using Terraform and restore it on the same Kubernetes cluster.
- Build a new Kubernetes cluster and restore the OpenIAM cluster from the existing backup.
Note: If any files are manually copied to the application pods’ PVC, those files must be preserved separately so that they can be restored to the PVC after the OpenIAM infrastructure cluster is restored.
Pre-backup steps
- Take Deployer VM Snapshot (recommended step). Take a snapshot of the deployer VM if possible or create a
tarbackup of the configuration directory with the following commands.
cd /usr/local/openiam/kubernetes-docker-configurationtar -cvf kubernetes-docker-configuration_backup.tar.gz /usr/local/openiam/kubernetes-docker-configuration
Create an external database snapshot (if applicable). Ensure the database is running and accessible.
Backup vault secret using Medusa.
Download Medusa utility.
wget https://github.com/jonasvinther/medusa/releases/download/v0.7.2/medusa_${MEDUSA_VERSION}_linux_amd64.tar.gztar -xvf medusa_${MEDUSA_VERSION}_linux_amd64.tar.gzCopy Medusa utility to Vault Pod.
kubectl get pods | grep vaultkubectl cp medusa openiam-vault-0:/tmp/Export Vault secrets.
kubectl exec -it <vault-pod-name> -- shexport VAULT_ADDR="https://127.0.0.1:8200"export VAULT_SKIP_VERIFY=trueexport VAULT_URL=127.0.0.1export VAULT_PORT=8200token=$(curl -k --request POST --cert /data/openiam/conf/vault/server/vault.crt --key /data/openiam/conf/vault/server/vault.key --data '{"name": "web"}' https://${VAULT_URL}:${VAULT_PORT}/v1/auth/cert/login | jq .auth.client_token | tr -d '"')/tmp/medusa export secret --address="https://${VAULT_URL}:${VAULT_PORT}" --token="${token}" -p /data/openiam/conf/vault/server/vault.key --format="yaml" --insecure -o /tmp/export.yaml -m kv1kubectl cp <vault-pod-name>:/tmp/export.yaml ./export.yaml
Backup ESB cacerts.
kubectl get pods | grep esbkubectl exec -it openiam-esb-0 -- ls -l /usr/lib/jvm/default-jvm/lib/security/cacertskubectl cp openiam-esb-0:/usr/lib/jvm/default-jvm/lib/security/cacerts ./cacerts
Store the following in any external server:
cacertsfileexport.yamlkubernetes-docker-configuration_backup.tar.gz- Deployer VM snapshot.
Restoration
- Remove Vault Alias from
cacerts.
keytool -list -keystore cacerts -storepass changeit | grep vaultkeytool -delete -alias test2025-vault -keystore cacerts -storepass changeitkeytool -list -keystore cacerts -storepass changeit | grep vault
- Create custom ESB image.
mkdir -p /root/ESB-Custome_image
Copy modified cacerts to this directory.
Dockerfile content:
vi DockerfileFROM registry.openiam.com/openiam_service/esb:debian-4.2.2-devUSER root# Backup original cacertsRUN cp /usr/lib/jvm/default-jvm/lib/security/cacerts /usr/lib/jvm/default-jvm/lib/security/cacerts.orig# Copy your updated cacertsCOPY cacerts /usr/lib/jvm/default-jvm/lib/security/cacertsRUN chmod 664 /usr/lib/jvm/default-jvm/lib/security/cacerts && chown openiam:openiam /usr/lib/jvm/default-jvm/lib/security/cacertsUSER openiamdocker build -t openiam-esb:4.2.2-cacerts .docker save openiam-esb:4.2.2-cacerts -o openiam-esb-4.2.2-cacerts.tar
- Load ESB image into Kubernetes nodes.
kubectl get nodeskubectl debug node/<node-name> -it --image=busyboxkubectl cp openiam-esb-4.2.2-cacerts.tar <debug-pod>:/tmp/kubectl exec -it <debug-pod> shcd /tmp/mkdir -p /host/var/tmp/imagescp openiam-esb-4.2.2-cacerts.tar /host/var/tmp/imageschroot /host bashctr -n k8s.io images import /var/tmp/images/openiam-esb-4.2.2-cacerts.tarctr -n k8s.io images list | grep esb
Note: Identify the image name from the last command, copy it, and then exit the debug pod.
- Update ESB
StatefulSet
Edit esb-statefulset.yaml and update image.
vi /usr/local/openiam/kubernetes-docker-configuration/openiam/templates/services/esb-statefulset.yamlimage: "docker.io/library/openiam-esb:4.2.2-cacerts"imagePullPolicy: IfNotPresent
- Deploy OpenIAM
cd /usr/local/openiam/kubernetes-docker-configuration./setup.shterraform apply --auto-approve
- Import Vault secrets. Once the Vault pod is up and running, copy the Medusa utility and the
export.yamlfile into the Vault pod.
kubectl cp /root/medusa <vault-pod-name>:/tmp/kubectl cp /root/export.yaml <vault-pod-name>:/tmp/kubectl exec -it <vault-pod-name> -- shcd /tmpexport VAULT_ADDR="https://127.0.0.1:8200"export VAULT_SKIP_VERIFY=trueexport VAULT_URL=127.0.0.1export VAULT_PORT=8200token=$(curl -k --request POST --cert /data/openiam/conf/vault/server/vault.crt --key /data/openiam/conf/vault/server/vault.key --data '{"name": "web"}' https://${VAULT_URL}:${VAULT_PORT}/v1/auth/cert/login | jq .auth.client_token | tr -d '"')/tmp/medusa import secret -p /data/openiam/conf/vault/server/vault.key /tmp/export.yaml --address="https://${VAULT_URL}:${VAULT_PORT}" --token="${token}" --insecure -m kv1
Post restoration
Monitor all pods until UI is accessible. Login using old credentials.
Note: If new users were created after cacerts backup, ensure latest cacerts are backed up and used.