Skip to main content

Backup and Restore Platform Data

This guide covers backup and restore procedures for all stateful components of CRAFT. Each service owns its own database, and infrastructure services (Keycloak, OpenFGA, Infisical) maintain independent state that must be backed up separately.

Stateful Components

The platform has the following stateful components that require backup:
ComponentStorageData
Governance DBPostgreSQLOrganizations, projects, users, role assignments
Assets DBPostgreSQLArtifacts, data connections, files, models
Utils DBPostgreSQLData catalog, scheduling, context packs, memories
KeycloakPostgreSQLRealms, users, IdP configurations, sessions
OpenFGAPostgreSQLAuthorization model, relationship tuples
InfisicalInternal storeApplication secrets, data connection credentials
RedisIn-memory + AOFCache, session state, event streams
Solution DBsPostgreSQLData Insights sessions, Data Governance profiles
Each service has a separate PostgreSQL database. There are no cross-service foreign keys, so databases can be backed up independently without coordination.

PostgreSQL Backup

Automated Backups (Cloud-Managed)

For cloud-managed PostgreSQL (Cloud SQL, RDS, Azure Database):
Cloud SQL provides automated daily backups with configurable retention.

Manual Backups (On-Premises)

For self-managed PostgreSQL deployments:
Use pg_dump -Fc (custom format) for backups. It supports parallel restore and selective table restoration, and compresses data automatically.

Point-in-Time Recovery

For production deployments, enable WAL archiving for point-in-time recovery:

Keycloak Backup

Keycloak state is primarily stored in its PostgreSQL database, but realm configuration can also be exported as JSON for version control.
Realm exports include user accounts but not user credentials (passwords). Users will need to reset passwords after a realm import. SSO users are unaffected since their credentials are managed by the external IdP.

OpenFGA Backup

OpenFGA stores its authorization model and relationship tuples in PostgreSQL. The database backup covers all OpenFGA state. For additional safety, export the authorization model:

Secrets Backend Backup

The platform supports two secrets backends. Back up whichever you are using.
Infisical manages application secrets including data connection credentials. Back up the Infisical database (PostgreSQL infisical database) and preserve the encryption keys.
Infisical secrets are encrypted at rest. Backing up the database preserves the encrypted data, but you must also preserve the ENCRYPTION_KEY and AUTH_SECRET for restoration, without them, encrypted data cannot be decrypted.

Redis Backup

Redis serves as a cache and event stream. While cache data is ephemeral, you may want to back up Redis for faster recovery:

Restore Procedures

Restore PostgreSQL Databases

Restore Keycloak Realms

Restore from Cloud Managed Backups

Backup Schedule Recommendations

ComponentFrequencyRetentionMethod
PostgreSQL (all DBs)Daily + continuous WAL30 daysCloud-managed or pg_dump
Keycloak realm exportsWeekly90 daysJSON export
OpenFGA modelOn changeIndefiniteJSON export in version control
RedisDaily7 daysRDB snapshot
Secrets backend (Infisical)Daily30 daysDatabase backup with encryption keys
Secrets backend (GCP SM)N/A, managedIndefiniteGCP retains all versions; document IAM bindings in Terraform

Disaster Recovery Checklist

1

Restore PostgreSQL databases

Restore all platform databases from the latest backup. Verify row counts and data integrity.
2

Restore Keycloak

Import realm configurations. SSO users will re-authenticate via their IdP. Local users may need password resets.
3

Verify OpenFGA schema

Confirm the authorization model is loaded. The Governance service re-applies the schema on startup.
4

Restore secrets backend

Infisical: Restore the Infisical database and encryption keys. Verify data connection credentials are accessible. ESO + GCP Secret Manager: Verify GCP Secret Manager secrets are intact and ESO ClusterSecretStore can authenticate via Workload Identity.
5

Restart platform services

Follow the startup order: PostgreSQL -> Redis -> Keycloak -> OpenFGA -> Governance -> Assets/Utils -> Solutions.
6

Validate end-to-end

Run health checks on all services. Test authentication, permission checks, and data connection queries.

Next Steps

Deployment Overview

Review the full deployment architecture and infrastructure requirements.

Helm Configuration

Configure Helm values for backup-related settings.

GDPR Compliance

Understand data retention requirements for GDPR compliance.

Network Security

Secure backup data in transit and at rest.