Basic disaster recovery scenario

This guide explain how to recover the declared state from an existing Git repository.

Prerequisites

  • A new Kubernetes cluster.
  • BYO Git repository URL and credentials (the repository used in the original installation).
  • Sealed-secrets key pair backup exported from the original cluster.

Configure recovery mode

  1. Edit the values.yaml file used for the original BYO Git installation.

  2. Add installation.mode: recovery and embed the contents of the sealed-secrets-key.yaml exported under installation.recovery.manifests:

    installation:
      mode: recovery
      recovery:
        manifests:
          apiVersion: v1
          items:
            - apiVersion: v1
              data:
                tls.crt: <base64-encoded certificate>
                tls.key: <base64-encoded private key>
              kind: Secret
              metadata:
                labels:
                  sealedsecrets.bitnami.com/sealed-secrets-key: active
                name: sealed-secrets-key
               namespace: sealed-secrets
              type: kubernetes.io/tls
          kind: List
          metadata:
            resourceVersion: ""

    The values for tls.crt and tls.key come directly from the sealed-secrets-key.yaml backup file — they are already base64-encoded. See Sealed Secrets Key Recovery for the export command.

  3. Install the platform:

    helm install apl apl/apl -f values.yaml

What happens in recovery mode

When the operator starts in recovery mode:

  1. It bootstraps the App Platform and deploys the sealed-secrets controller.
  2. Then it clones the existing BYO Git repository and applies the manifests to the cluster.
  3. The sealed-secrets controller decrypts the existing SealedSecret manifests from the BYO Git repository using the restored key.
📘

For more information on the sealed-secrets key pair and backup procedures, see Sealed Secrets Key Recovery.