feat: Add MinIO backup

adskyiproger · adskyiproger · commit c59ff01ae1b9 · 2025-08-22T15:20:51.000+03:00
diff --git a/charts/dependencies/README.md b/charts/dependencies/README.md
@@ -74,7 +74,7 @@ This section allows you to configure the deployment and authentication settings
 | data_storage_size | string | 5Gi | Persistent volume claim size for Elasticsearch data volume |
 | backup_storage_size | string | 1Gi | Persistent volume claim size for Elasticsearch backup volume |
 | backup_schedule | string | `n/a` | Backup cronjob schedule, if not defined then values from `backup.schedule` is used |
-| backup_server_dir | string | `n/a` | Directory to store elasticsearch encrypted backup on backup server, if not defined `backup.backup_server_dir` is used |
+| backup_server_dir | string | `n/a` | Directory to store encrypted backup on backup server, if not defined `backup.backup_server_dir` is used |
 
 ## MinIO
 
@@ -83,6 +83,8 @@ This section allows you to configure the deployment and authentication settings
 | enabled | true | Enable or disable minio service |
 | use_default_credentials | true | Default credentials for MinIO are username `minioadmin` and password `minioadmin`. |
 | data_storage_size | string | 1Gi | Persistent volume claim size for MinIO data volume |
+| backup_schedule | string | `n/a` | Backup cronjob schedule, if not defined then values from `backup.schedule` is used |
+| backup_server_dir | string | `n/a` | Directory to store encrypted backup on backup server, if not defined `backup.backup_server_dir` is used |
 
 Setting `use_default_credentials` to `false` will generate strong password for MinIO.
 
diff --git a/charts/dependencies/files/minio/backup.sh b/charts/dependencies/files/minio/backup.sh
@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# OpenCRVS is also distributed under the terms of the Civil Registration
+# & Healthcare Disclaimer located at http://opencrvs.org/license.
+#
+# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
+
+# Initial variables configuration
+# Today's date is used for filenames if LABEL is not provided
+BACKUP_DATE=$(date +%Y-%m-%d)
+# Local directory inside container where minio data is mounted
+BACKUP_DIR="/data"
+# Temporal directory inside container to store data
+BACKUP_PATH=/tmp/minio-backup
+mkdir -p $BACKUP_PATH
+# Temporal archive path inside container
+ARCHIVE_PATH="/tmp/minio_backup_${BACKUP_DATE}.tar.gz"
+# Remote directory on backup server
+REMOTE_DIR="${BACKUP_REMOTE_DIR:-"/home/$BACKUP_USER"}/$BACKUP_DATE"
+# Number of retries for backup creation
+MAX_RETRIES=10
+# Backup encryption password
+ENCRYPT_PASS=${ENCRYPT_PASS:?Must provide ENCRYPT_PASS}
+
+BACKUP_MODE=${BACKUP_MODE:-"fs"}
+# Install required tools
+apk add --no-cache bash curl openssl openssh jq rsync minio-client
+
+# Mirror data before backup
+# Works well on any minio installation but is slower and requires additional disk space
+backup_mirror(){
+  MINIO_ALIAS=local
+  mcli alias set $MINIO_ALIAS http://minio:3535 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD
+
+  # Figure out buckets to back up
+  if [ -z "$BUCKETS" ]; then
+    # All buckets
+    BUCKETS=$(mcli ls --json $MINIO_ALIAS | jq -r .key | sed 's:/$::')
+  fi
+  echo "Backing up MinIO buckets: $BUCKETS"
+  echo "Destination: $BACKUP_PATH"
+  for bucket in $BUCKETS; do
+    echo "Backing up bucket: $bucket"
+    mcli mirror --overwrite $MINIO_ALIAS/$bucket "$BACKUP_PATH/$bucket"
+  done
+
+  echo "Backup completed! Buckets saved at: $BACKUP_PATH"
+  cd $BACKUP_PATH && tar -zcvf $ARCHIVE_PATH .
+}
+
+# Backup entire filesystem
+# Works well on single node installation and is fastest way to create backup
+backup_fs(){
+  echo "[$(date +%F\ %H:%M:%S)] Archive backup at $ARCHIVE_PATH"
+  cd /data && tar -zcvf $ARCHIVE_PATH .
+}
+
+create_encrypted_backup(){
+  echo "[$(date +%F\ %H:%M:%S)] Encrypt backup at $ARCHIVE_PATH"
+  openssl enc -aes-256-cbc -pbkdf2 -salt -in "$ARCHIVE_PATH" -out "${ARCHIVE_PATH}.enc" -pass env:ENCRYPT_PASS
+  rm -f "$ARCHIVE_PATH"
+  echo "[$(date +%F\ %H:%M:%S)] Backup encrypted at ${ARCHIVE_PATH}.enc"
+}
+
+transfer_to_backup_host(){
+  echo "[$(date +%F\ %H:%M:%S)] Transfer backup to remote host"
+if rsync -avz \
+  --rsync-path="mkdir -p $REMOTE_DIR && rsync" \
+  -e "ssh -i /ssh/ssh_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \
+  "${ARCHIVE_PATH}.enc" "${BACKUP_USER}@${BACKUP_HOST}:${REMOTE_DIR}/"; then
+  echo "[$(date +%F\ %H:%M:%S)] Encrypted backup file ${ARCHIVE_PATH}.enc transferred to backup host ${BACKUP_HOST}:${REMOTE_DIR}"
+else
+  echo "[ERROR] Failed to transfer file ${ARCHIVE_PATH}.enc to backup host ${BACKUP_HOST}:${REMOTE_DIR}" >&2
+  exit 1
+fi
+  
+}
+
+echo "[$(date +%F\ %H:%M:%S)] Running backup container"
+
+echo "[$(date +%F\ %H:%M:%S)] Setup connection to container http://minio:3535"
+
+
+if [ $BACKUP_MODE == "fs" ]; then
+  backup_fs
+elif [ $BACKUP_MODE == "mirror" ]; then
+  backup_mirror
+fi
+create_encrypted_backup
+
+transfer_to_backup_host
diff --git a/charts/dependencies/templates/minio-scripts-configmap.yaml b/charts/dependencies/templates/minio-scripts-configmap.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+{{- range $path, $file := .Files.Glob "files/minio/*" }}
+    {{ base $path }}: |
+{{ toString $file | indent 8 }}
+{{- end }}
+kind: ConfigMap
+metadata:
+  labels:
+    app: minio
+  name: minio-scripts
diff --git a/charts/dependencies/templates/minio.yaml b/charts/dependencies/templates/minio.yaml
@@ -65,6 +65,17 @@ spec:
       targetPort: 3536
   selector:
     app: minio
+{{- if .Values.backup.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: minio-backup-jobs
+data:
+  root: |
+    {{ .Values.minio.backup_schedule | default .Values.backup.schedule }} /scripts/backup.sh >> /proc/1/fd/1 2>&1
+{{- end }}
+
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@@ -73,11 +84,11 @@ metadata:
     app: minio
   name: minio
 spec:
-  serviceName: minio
   replicas: 1
   selector:
     matchLabels:
       app: minio
+  serviceName: minio
   template:
     metadata:
       labels:
@@ -135,6 +146,53 @@ spec:
           volumeMounts:
             - mountPath: /data
               name: minio
+      {{- if .Values.backup.enabled }}
+        - name: backup
+          command: ["crond", "-f", "-L", "/var/log/cron.log"]
+          image: "bash"
+          env:
+            - name: BACKUP_MODE
+              value: "mirror"
+          {{- if not .Values.minio.use_default_credentials }}
+            - name: MINIO_ROOT_USER
+              valueFrom:
+                secretKeyRef:
+                  name: minio-opencrvs-users
+                  key: MINIO_ROOT_USER
+            - name: MINIO_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: minio-opencrvs-users
+                  key: MINIO_ROOT_PASSWORD
+          {{- end }}
+            - name: ENCRYPT_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backup.backup_encryption_secret }}
+                  key: backup_encryption_key
+            - name: BACKUP_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backup.backup_server_secret }}
+                  key: user
+            - name: BACKUP_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backup.backup_server_secret }}
+                  key: host
+            - name: BACKUP_REMOTE_DIR
+              value: "{{ .Values.minio.backup_server_dir | default .Values.backup.backup_server_dir }}"
+          volumeMounts:
+            - name: backup-ssh-key
+              mountPath: /ssh
+              readOnly: true
+            - mountPath: /data
+              name: minio
+            - mountPath: /scripts
+              name: minio-scripts
+            - name: crontab
+              mountPath: /etc/crontabs
+      {{- end }}
       restartPolicy: Always
       volumes:
         - name: minio
@@ -146,4 +204,20 @@ spec:
             path: {{ .Values.minio.host_data_path | default "/data/minio" }}
             type: DirectoryOrCreate
       {{- end }}
+      {{- if .Values.backup.enabled }}
+        - name: backup-ssh-key
+          secret:
+            secretName: {{ .Values.backup.backup_server_secret }}
+            defaultMode: 0400
+            items:
+              - key: ssh_key
+                path: ssh_key
+        - name: minio-scripts
+          configMap:
+            name: minio-scripts
+            defaultMode: 0755
+        - name: crontab
+          configMap:
+            name: minio-backup-jobs
+      {{- end }}
 {{- end }}
