Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.emergence.ai/llms.txt

Use this file to discover all available pages before exploring further.

Backup and Restore Platform Data

This guide covers backup and restore procedures for all stateful components of CRAFT. Each service owns its own database, and infrastructure services (Keycloak, OpenFGA, Infisical) maintain independent state that must be backed up separately.

Stateful Components

The platform has the following stateful components that require backup:
ComponentStorageData
Governance DBPostgreSQLOrganizations, projects, users, role assignments
Assets DBPostgreSQLArtifacts, data connections, files, models
Utils DBPostgreSQLData catalog, scheduling, context packs, memories
KeycloakPostgreSQLRealms, users, IdP configurations, sessions
OpenFGAPostgreSQLAuthorization model, relationship tuples
InfisicalInternal storeApplication secrets, data connection credentials
RedisIn-memory + AOFCache, session state, event streams
Solution DBsPostgreSQLData Insights sessions, Data Governance profiles
Each service has a separate PostgreSQL database. There are no cross-service foreign keys, so databases can be backed up independently without coordination.

PostgreSQL Backup

Automated Backups (Cloud-Managed)

For cloud-managed PostgreSQL (Cloud SQL, RDS, Azure Database):
Cloud SQL provides automated daily backups with configurable retention.
# Enable automated backups
gcloud sql instances patch <instance-name> \
  --backup-start-time=02:00 \
  --retained-backups-count=30 \
  --retained-transaction-log-days=7

# Create an on-demand backup
gcloud sql backups create --instance=<instance-name>

# List available backups
gcloud sql backups list --instance=<instance-name>

Manual Backups (On-Premises)

For self-managed PostgreSQL deployments: 
# Back up all platform databases
DATABASES="keycloak openfga infisical governance assets utils prefect datareadiness talk2data"
BACKUP_DIR="/backups/emergence/$(date +%Y%m%d_%H%M%S)"
mkdir -p "$BACKUP_DIR"

for db in $DATABASES; do
  pg_dump -h localhost -U postgres -Fc -f "$BACKUP_DIR/$db.dump" "$db"
done

# Verify backups
for dump in "$BACKUP_DIR"/*.dump; do
  pg_restore --list "$dump" > /dev/null && echo "OK: $dump" || echo "FAILED: $dump"
done
Use pg_dump -Fc (custom format) for backups. It supports parallel restore and selective table restoration, and compresses data automatically.

Point-in-Time Recovery

For production deployments, enable WAL archiving for point-in-time recovery: 
# postgresql.conf
archive_mode = on
archive_command = 'cp %p /archive/wal/%f'
wal_level = replica

Keycloak Backup

Keycloak state is primarily stored in its PostgreSQL database, but realm configuration can also be exported as JSON for version control. 
# Export realm configuration (includes users, IdPs, clients)
# Run from within the Keycloak container or pod
/opt/keycloak/bin/kc.sh export \
  --dir /tmp/keycloak-export \
  --realm <realm-name> \
  --users realm_file

# Copy the export out of the container
kubectl cp <keycloak-pod>:/tmp/keycloak-export ./keycloak-backup/
Realm exports include user accounts but not user credentials (passwords). Users will need to reset passwords after a realm import. SSO users are unaffected since their credentials are managed by the external IdP.

OpenFGA Backup

OpenFGA stores its authorization model and relationship tuples in PostgreSQL. The database backup covers all OpenFGA state. For additional safety, export the authorization model: 
# Export the current authorization model
curl -s "http://<openfga-host>:8080/stores/<store-id>/authorization-models" \
  -H "Authorization: Bearer $TOKEN" | jq . > openfga-model-backup.json

Secrets Backend Backup

The platform supports two secrets backends. Back up whichever you are using.
Infisical manages application secrets including data connection credentials. Back up the Infisical database (PostgreSQL infisical database) and preserve the encryption keys.
Infisical secrets are encrypted at rest. Backing up the database preserves the encrypted data, but you must also preserve the ENCRYPTION_KEY and AUTH_SECRET for restoration, without them, encrypted data cannot be decrypted.
pg_dump -h localhost -U postgres -Fc -f infisical-backup.dump infisical
# Also export the encryption key from the infisical-bootstrap-secret:
kubectl get secret infisical-bootstrap-secret -n em-runtime -o yaml > infisical-bootstrap-secret.yaml

Redis Backup

Redis serves as a cache and event stream. While cache data is ephemeral, you may want to back up Redis for faster recovery: 
# Trigger a manual RDB snapshot
redis-cli -a $REDIS_PASSWORD BGSAVE

# Copy the dump file
kubectl cp <redis-pod>:/data/dump.rdb ./redis-backup/dump.rdb

Restore Procedures

Restore PostgreSQL Databases

# Restore a single database from a custom-format dump
pg_restore -h localhost -U postgres -d governance -Fc --clean --if-exists governance.dump

# Restore all platform databases
for db in keycloak openfga infisical governance assets utils prefect datareadiness talk2data; do
  pg_restore -h localhost -U postgres -d "$db" -Fc --clean --if-exists "$db.dump"
done

Restore Keycloak Realms

# Import realm configuration
/opt/keycloak/bin/kc.sh import \
  --dir /tmp/keycloak-import \
  --override true

Restore from Cloud Managed Backups

# Restore from an automated backup
gcloud sql backups restore <backup-id> \
  --restore-instance=<instance-name>

Backup Schedule Recommendations

ComponentFrequencyRetentionMethod
PostgreSQL (all DBs)Daily + continuous WAL30 daysCloud-managed or pg_dump
Keycloak realm exportsWeekly90 daysJSON export
OpenFGA modelOn changeIndefiniteJSON export in version control
RedisDaily7 daysRDB snapshot
Secrets backend (Infisical)Daily30 daysDatabase backup with encryption keys
Secrets backend (GCP SM)N/A, managedIndefiniteGCP retains all versions; document IAM bindings in Terraform

Disaster Recovery Checklist

1

Restore PostgreSQL databases

Restore all platform databases from the latest backup. Verify row counts and data integrity.
2

Restore Keycloak

Import realm configurations. SSO users will re-authenticate via their IdP. Local users may need password resets.
3

Verify OpenFGA schema

Confirm the authorization model is loaded. The Governance service re-applies the schema on startup.
4

Restore secrets backend

Infisical: Restore the Infisical database and encryption keys. Verify data connection credentials are accessible. ESO + GCP Secret Manager: Verify GCP Secret Manager secrets are intact and ESO ClusterSecretStore can authenticate via Workload Identity.
5

Restart platform services

Follow the startup order: PostgreSQL -> Redis -> Keycloak -> OpenFGA -> Governance -> Assets/Utils -> Solutions.
6

Validate end-to-end

Run health checks on all services. Test authentication, permission checks, and data connection queries.

Next Steps

Deployment Overview

Review the full deployment architecture and infrastructure requirements.

Helm Configuration

Configure Helm values for backup-related settings.

GDPR Compliance

Understand data retention requirements for GDPR compliance.

Network Security

Secure backup data in transit and at rest.