Secrets Backup¶
DataRobot encrypts sensitive data at rest and secures backend services with passwords. When backing up a DataRobot cluster, you must also back up the secrets used to secure the DataRobot environment. These secrets must be backed up at the same time as the databases.
If these files and directories are not backed up and restored as part of the DataRobot cluster you may lose access to data and analytics stored in the DataRobot environment.
These secrets cannot be recovered by DataRobot and it is critical that they are secured as part of your data management policy.
Prerequisites¶
Before starting the backup process, ensure you have the following tools installed on the hoste where the backup will be created:
- jq utility
- kubectl version 1.23
kubectlconfigured to access the Kubernetes cluster where DataRobot is running- Verify access with:
kubectl cluster-info
Backup DataRobot Secrets¶
DataRobot secrets include authentication and connection data used by various internal platform services. This includes connection details to Persistent Critical Services such as MongoDB, PostgreSQL, RabbitMQ, and ElasticSearch.
The following command will get all secrets with label app.kubernetes.io/instance=dr and save their data into JSON files that have share the name of the secret itself.
Step 1: Set Environment Variables¶
Export the DataRobot application Kubernetes namespace:
export DR_CORE_NAMESPACE=<namespace>
Define the backup storage location (this guide uses ~/datarobot-backups/):
export BACKUP_LOCATION=~/datarobot-backups/
Step 2: Backup All Managed Secrets¶
The following command retrieves all secrets with the label app.kubernetes.io/instance=dr and saves their data into JSON files:
mkdir -p ${BACKUP_LOCATION}/secrets/dr
for secret in $(kubectl -n $DR_CORE_NAMESPACE get secrets -l app.kubernetes.io/instance=dr -o name); do
kubectl -n "$DR_CORE_NAMESPACE" get "$secret" -o json | jq '{data}' > "${BACKUP_LOCATION}/secrets/dr/${secret#*/}.json"
done
The following command retrieves all secrets with the label app.kubernetes.io/instance=pcs and saves their data into JSON files:
NOTE: Valid only for 10.X versions
mkdir -p ${BACKUP_LOCATION}/secrets/pcs
for secret in $(kubectl -n $DR_CORE_NAMESPACE get secrets -l app.kubernetes.io/instance=pcs -o name); do
kubectl -n "$DR_CORE_NAMESPACE" get "$secret" -o json | jq '{data}' > "${BACKUP_LOCATION}/secrets/pcs/${secret#*/}.json"
done
Backup Encryption Keys¶
While encryption keys are included in the general secrets backup above, we recommend creating additional dedicated backups of these critical keys for MongoDB data decryption.
Backup MongoDB Encryption Keys¶
mkdir -p ${BACKUP_LOCATION}/secrets
kubectl -n $DR_CORE_NAMESPACE get secret/core-credentials -o jsonpath="{.data.asymmetrickey}" \
| base64 -d > ${BACKUP_LOCATION}/secrets/ASYMMETRIC_KEY_PAIR_MONGO_ENCRYPTION_KEY.txt
kubectl -n $DR_CORE_NAMESPACE get secret/core-credentials -o jsonpath="{.data.drsecurekey}" \
| base64 -d > ${BACKUP_LOCATION}/secrets/DRSECURE_MONGO_ENCRYPTION_KEY.txt
Backup Custom Certificates¶
If your DataRobot cluster uses custom certificates defined during installation, these must be backed up separately.
Step 1: Check for Custom Certificates¶
Check if your cluster configuration includes a globals.certs section:
helm get values dr
If custom certificates are configured, you'll see a section that looks similar to this:
globals:
certs:
- secret: rabbit-cert
path: rabbit/rabbit-cert.pem
Note: These secrets are preconfigured outside of DataRobot, which is why they must be backed up separately if being used.
Step 2: Backup Custom Certificate Secrets¶
For each custom certificate secret identified in your configuration, create individual backups:
mkdir -p ${BACKUP_LOCATION}/secrets/certs
kubectl -n $DR_CORE_NAMESPACE get secret <secret_name> -o jsonpath='{.data.*}' > ${BACKUP_LOCATION}/secrets/certs/<secret_name>.crt
Replace <secret_name> with the actual secret name from your configuration (e.g., rabbit-cert).