Skip to content

Disaster recovery & business continuity

Kravn is built to fit a regulated organization's continuity requirements. This page is the summary; the full, step-by-step runbook lives in DR_BCP.md in the repository.

The one rule

A backup you have never restored is not a backup. Test the restore end-to-end on a schedule.

What to protect

Everything Kravn keeps lives in two places — protect them together and in sync:

  • The database — all state: users, teams, RBAC, servers, endpoints, encrypted plugin credentials, the KMS-wrapped key material, and the hash-chained audit log. Back it up with your database's native tooling (pg_dump, mysqldump, BACKUP DATABASE, or a PVC snapshot for embedded SQLite).
  • The encryption key (KRAVN_SECRET, or the external KMS key when enabled) — it decrypts the database's secrets. A database restored against the wrong key cannot decrypt its own credentials. Escrow the key offline from the database; for a KMS, follow its own geo-redundant DR.

Backups

  • Managed database: prefer the provider's native automated backups / point-in-time recovery.
  • Self-run database: schedule logical dumps (nightly for an RPO ≤ 24h, retained ≥ 30 days), encrypted at rest with restricted access.
  • Automated: the Helm chart ships an optional backup CronJob (backup.enabled) that runs your dump command against the configured database on a schedule.

Restore

Restore the database, set KRAVN_SECRET back to the same value the backup was written with (and restore KMS access if used), point Kravn at the restored database, and deploy the same-or-newer version — migrations run automatically. Then verify: log in, confirm a stored plugin credential still connects (proves the key matched), and run the audit-log integrity check.

High availability

Run multiple replicas with an external database and a shared store (the chart's Dragonfly option or your Redis-protocol endpoint), and a stable KRAVN_SECRET, so the rate-limiter and login state are cross-pod. Kravn is stateless beyond the database + key, so pods come up in seconds and spread across zones.

See the full runbook — including per-engine backup commands, the CronJob values, RPO/RTO guidance and the continuity checklist — in DR_BCP.md.

Source-available under the Business Source License 1.1 (converts to Apache 2.0). Built by AddLayer.