neo4j-kubernetes-operator/examples/backup-restore/pitr-setup-complete.yaml at main · neo4j-partners/neo4j-kubernetes-operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
# Complete Point-in-Time Recovery Setup
# This file demonstrates a complete PITR environment setup including:
# - Base backup configuration
# - Transaction log storage setup
# - Secrets for encryption
# - Example PITR restore configuration

---
# Base backup for PITR
apiVersion: neo4j.neo4j.com/v1alpha1
kind: Neo4jBackup
metadata:
  name: pitr-base-backup
  labels:
    environment: production
    backup-type: pitr-base
    pitr: "true"
spec:
  target:
    kind: Cluster
    name: production-cluster
  schedule: "0 0 * * *"  # Daily base backup at midnight
  storage:
    type: s3
    bucket: pitr-base-backups
    path: production/base
    cloud:
      provider: aws
      region: us-east-1
  retention:
    maxAge: "30d"
    maxCount: 30
    deletePolicy: Delete
  options:
    compress: true
    verify: true
    encryption:
      enabled: true
      keySecret: pitr-encryption-key
      algorithm: AES256
    additionalArgs:
      - "--parallel-recovery"
      - "--include-metadata"

---
# Transaction log backup (conceptual - would be handled by Neo4j configuration)
# This shows the expected configuration for transaction log storage
apiVersion: v1
kind: ConfigMap
metadata:
  name: pitr-transaction-log-config
data:
  neo4j.conf: |
    # Transaction log configuration for PITR
    dbms.tx_log.rotation.retention_policy=7d
    dbms.tx_log.rotation.size=250M

    # Archive transaction logs to cloud storage
    dbms.backup.archive_transaction_logs=true
    dbms.backup.transaction_log_archive.path=s3://transaction-logs/production/logs/
    dbms.backup.transaction_log_archive.compression=true
    dbms.backup.transaction_log_archive.encryption=true

---
# Encryption key for PITR backups and transaction logs
apiVersion: v1
kind: Secret
metadata:
  name: pitr-encryption-key
type: Opaque
data:
  # Generate with: openssl rand -base64 32
  key: <base64-encoded-32-byte-encryption-key>

---
# AWS credentials for PITR storage access
apiVersion: v1
kind: Secret
metadata:
  name: pitr-aws-credentials
type: Opaque
data:
  AWS_ACCESS_KEY_ID: <base64-encoded-access-key>
  AWS_SECRET_ACCESS_KEY: <base64-encoded-secret-key>

---
# Example PITR restore configuration
apiVersion: neo4j.neo4j.com/v1alpha1
kind: Neo4jRestore
metadata:
  name: pitr-example-restore
  labels:
    environment: disaster-recovery
    restore-type: pitr-example
spec:
  targetCluster: recovery-cluster
  databaseName: production-db
  source:
    type: pitr
    pointInTime: "2025-01-04T12:00:00Z"  # Adjust to desired recovery point
    pitr:
      baseBackup:
        type: backup
        backupRef: pitr-base-backup
      logStorage:
        type: s3
        bucket: transaction-logs
        path: production/logs
        cloud:
          provider: aws
          region: us-east-1
      logRetention: "7d"
      recoveryPointObjective: "5m"
      validateLogIntegrity: true
      compression:
        enabled: true
        algorithm: gzip
        level: 6
      encryption:
        enabled: true
        keySecret: pitr-encryption-key
        algorithm: AES256
  options:
    verifyBackup: true
    replaceExisting: true
    preRestore:
      cypherStatements:
        - "CALL dbms.backup.prepare()"
        - "CALL db.checkpoint()"
      job:
        template:
          container:
            image: alpine:latest
            command: ["/bin/sh"]
            args:
              - "-c"
              - |
                echo "=== PITR Pre-Restore Preparation ==="
                echo "Target cluster: recovery-cluster"
                echo "Database: production-db"
                echo "Recovery point: 2025-01-04T12:00:00Z"
                echo "Validating recovery environment..."
                sleep 5
                echo "Pre-restore preparation completed"
        timeout: "10m"
    postRestore:
      cypherStatements:
        - "CALL db.awaitIndexes(600)"
        - "CALL dbms.security.clearAuthCache()"
        - "CREATE CONSTRAINT pitr_recovery_log IF NOT EXISTS FOR (n:RecoveryLog) REQUIRE n.id IS UNIQUE"
        - |
          MERGE (log:RecoveryLog {id: randomUUID()})
          SET log.timestamp = datetime(),
              log.recovery_type = 'PITR',
              log.recovery_point = '2025-01-04T12:00:00Z',
              log.target_cluster = 'recovery-cluster',
              log.source_backup = 'pitr-base-backup'
      job:
        template:
          container:
            image: neo4j:5.26.0-enterprise
            command: ["/bin/sh"]
            args:
              - "-c"
              - |
                echo "=== PITR Post-Restore Validation ==="
                echo "Connecting to restored database..."

                # Basic connectivity test
                cypher-shell -u neo4j -p $NEO4J_PASSWORD -d production-db \
                  "CALL db.ping() YIELD success RETURN success"

                # Data validation
                echo "Validating data integrity..."
                cypher-shell -u neo4j -p $NEO4J_PASSWORD -d production-db \
                  "MATCH (n) RETURN labels(n)[0] as label, count(n) as count ORDER BY label"

                # Check recovery log
                echo "Verifying recovery log..."
                cypher-shell -u neo4j -p $NEO4J_PASSWORD -d production-db \
                  "MATCH (log:RecoveryLog) WHERE log.recovery_type = 'PITR'
                   RETURN log ORDER BY log.timestamp DESC LIMIT 1"

                echo "PITR validation completed successfully"
            env:
              - name: NEO4J_PASSWORD
                valueFrom:
                  secretKeyRef:
                    name: recovery-cluster-admin-secret
                    key: password
        timeout: "20m"
  force: true
  stopCluster: true
  timeout: "4h"

---
# Recovery cluster admin secret (create this for your recovery environment)
apiVersion: v1
kind: Secret
metadata:
  name: recovery-cluster-admin-secret
type: Opaque
data:
  username: bmVvNGo=  # neo4j
  password: <base64-encoded-admin-password>

---
# Service account for PITR operations with appropriate permissions
apiVersion: v1
kind: ServiceAccount
metadata:
  name: pitr-service-account
  annotations:
    # AWS IAM role for S3 access (if using IAM roles instead of access keys)
    eks.amazonaws.com/role-arn: arn:aws:iam::YOUR-ACCOUNT:role/neo4j-pitr-role

---
# RBAC for PITR operations
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pitr-operator-role
rules:
  - apiGroups: ["neo4j.neo4j.com"]
    resources: ["neo4jbackups", "neo4jrestores", "neo4jenterpriseclusters"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["batch"]
    resources: ["jobs", "cronjobs"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["secrets", "configmaps", "persistentvolumeclaims"]
    verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: pitr-operator-binding
subjects:
  - kind: ServiceAccount
    name: pitr-service-account
    namespace: default
roleRef:
  kind: ClusterRole
  name: pitr-operator-role
  apiGroup: rbac.authorization.k8s.io