generated from coulomb/repo-seed
feat(t09): backup, break-glass, DR drill — NK-WP-0003-T09 done
- Apply SQLite backup CronJobs (LLDAP, Authelia, privacyIDEA) — all verified running - Fix authelia-backup: remove scale-down/up dance; concurrent local-path PVC mount works on single-node k3s, sqlite3 .backup is safe for concurrent access - Fix privacyidea-backup: add supplementalGroups: [999] so uid=1000 can read enckey - Add allow-backup-to-kube-api NetworkPolicy (backup pod → 10.43.0.1:443) - Create break-glass LLDAP account (net-kingdom-admins); fix ((PASS++)) set-e trap - SQLite restore drill: LLDAP backup valid (2 users, all tables) - verify-t08.sh: PASS=15, FAIL=0; fix counter bug + enckey PVC path (/etc/privacyidea) - Update DR-RUNBOOK.md Authelia restore procedure - T09 deferred: CNPG backup (needs MinIO/S3), Prometheus (needs kube-prometheus-stack) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -87,10 +87,20 @@ kubectl rollout status deployment/lldap -n sso --timeout=120s
|
||||
### Authelia
|
||||
|
||||
```bash
|
||||
# Same pattern as LLDAP, using authelia-data PVC and authelia.backup.YYYY-MM-DD
|
||||
# On single-node k3s (local-path PVCs are hostPath-backed), a restore pod can mount
|
||||
# authelia-data alongside the running Authelia pod. Scale down only if you need to
|
||||
# replace the live db.sqlite3 in-place (Authelia must be stopped to avoid corruption).
|
||||
kubectl scale deployment/authelia -n sso --replicas=0
|
||||
# ... (run restore pod, restore db.sqlite3, scale back up)
|
||||
kubectl run -n sso authelia-restore --image=nouchka/sqlite3:latest \
|
||||
--restart=Never \
|
||||
--overrides='{"spec":{"volumes":[{"name":"data","persistentVolumeClaim":{"claimName":"authelia-data"}}],"containers":[{"name":"authelia-restore","image":"nouchka/sqlite3:latest","command":["sleep","3600"],"volumeMounts":[{"name":"data","mountPath":"/data"}]}]}}'
|
||||
kubectl exec -n sso authelia-restore -- ls /data/backups/
|
||||
kubectl exec -n sso authelia-restore -- \
|
||||
sqlite3 /data/backups/authelia.backup.YYYY-MM-DD ".dump" | \
|
||||
sqlite3 /data/db.sqlite3
|
||||
kubectl delete pod -n sso authelia-restore
|
||||
kubectl scale deployment/authelia -n sso --replicas=1
|
||||
kubectl rollout status deployment/authelia -n sso --timeout=120s
|
||||
```
|
||||
|
||||
### privacyIDEA enckey
|
||||
|
||||
Reference in New Issue
Block a user