Configure Portworx Backup using an S3 object store with TLS enabled
This topic explains how to configure Portworx Backup with a secure S3 compatible object store having a self-signed certificate.
You need to configure the following components to add the secure S3 object store certificate. This configuration enables the components to perform the following tasks by accessing the S3 object store:
- Stork: to back up Kubernetes resources
- Portworx Backup: to create backup locations in the UI
- Portworx nodes: to back up Portworx volumes
The following sections explain how you can add the secure S3 object store certificate to each component:
Stork
You need to modify the Stork deployment file to add a secret mount with the custom certificate, and then add an environment variable pointing to the secret mount.
Create a secret in the namespace where Stork is deployed with the S3 object store certificate, assuming the file
public.crtcontains the certificate:kubectl -n <stork-deployed-namespace> create secret generic px-s3-certs --from-file=public.crt
After performing the above task, you can deploy Stork using any one of the two methods specified below:
1. Portworx operator method with storage cluster - stc:
Update the stork section of stc spec with the following configuration settings:
spec: stork: enabled: true env: - name: AWS_CA_BUNDLE value: /etc/pwx/s3cert/public.crt - name: SSL_CERT_DIR value: /etc/pwx/s3cert volumes: - mountPath: /etc/pwx/s3cert name: px-s3-certs secret: items: - key: public.crt path: public.crt secretName: px-s3-certs
2. Directly applying stork.spec by modifying the Stork deployment:
To modify the Stork deployment, perform the below steps.
Edit the Stork deployment:
kubectl edit deployment stork -n <stork-deployed-namespace>Add
AWS_CA_BUNDLEandSSL_CERT_DIRenvironment variables:env: - name: PX_SERVICE_NAME value: portworx-api - name: AWS_CA_BUNDLE value: /etc/pwx/s3cert/public.crt - name: SSL_CERT_DIR value: /etc/pwx/s3certAdd volume mounts:
volumeMounts: - mountPath: /etc/pwx/s3cert name: px-s3-certsAdd a volume:
volumes: - name: px-s3-certs secret: defaultMode: 420 secretName: px-s3-certsSave the changes and wait for the Stork pods to restart.
Portworx Backup
To configure the Portworx Backup deployment specification:
Create a secret in the
centralnamespace with the S3 object store certificate, assuming the filepublic.crtcontains the certificate:kubectl create ns central kubectl -n central create secret generic px-s3-certs --from-file=public.crtSet the following parameter with the install or upgrade command with helm:
--set caCertsSecretName=px-s3-certsAbove command adds the parameter
SSL_CERT_DIRto the backup deployment.If you have added this parameter manually, delete the cronjob and then restart the Portworx Backup pod by executing the following commands:
kubectl -n <px-backup-namespace> get cronjob | grep ^full-main | awk '{print $1}' | xargs kubectl -n <px-backup-namespace> delete cronjob kubectl -n <px-backup-namespace> get cronjob | grep ^quick-main | awk '{print $1}' | xargs kubectl -n <px-backup-namespace> delete cronjob kubectl delete pods -n <px-backup-namespace> <px-backup-pod-name>Example:
kubectl -n central get cronjob | grep ^full-main | awk '{print $1}' | xargs kubectl -n central delete cronjob kubectl -n central get cronjob | grep ^quick-main | awk '{print $1}' | xargs kubectl -n central delete cronjob kubectl delete pods -n px-backup px-backup-f56cdcbd9-rvb65
For more information on installation and upgrade of Portworx Backup, refer to Install Portworx Backup and Upgrade Portworx Backup sections respectively.
You can configure Portworx Backup by creating a secret on the same namespace where you deploy Portworx Backup, and set the caCertsSecretName parameter:
Configure custom CA certificate:
Create a secret with CA certificates into the release namespace. For example:
apiVersion: v1 stringData: ca.crt: | -----BEGIN CERTIFICATE----- MIIEczCCA1ugAwIBAgIBADANBgkqhkiG9w0BAQQFAD..AkGA1UEBhMCR0Ix EzARBgNVBAgTClNvbWUtU3RhdGUxFDASBgNVBAoTC0..0EgTHRkMTcwNQYD VQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcn..XRpb24gQXV0aG9y aXR5MRQwEgYDVQQDEwtCZXN0IENBIEx0ZDAeFw0wMD..TUwMTZaFw0wMTAy MDQxOTUwMTZaMIGHMQswCQYDVQQGEwJHQjETMBEGA1..29tZS1TdGF0ZTEU MBIGA1UEChMLQmVzdCBDQSBMdGQxNzA1BgNVBAsTLk..DEgUHVibGljIFBy aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFD..AMTC0Jlc3QgQ0Eg THRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg..Tz2mr7SZiAMfQyu vBjM9OiJjRazXBZ1BjP5CE/Wm/Rr500PRK+Lh9x5eJ../ANBE0sTK0ZsDGM ak2m1g7oruI3dY3VHqIxFTz0Ta1d+NAjwnLe4nOb7/..k05ShhBrJGBKKxb 8n104o/5p8HAsZPdzbFMIyNjJzBM2o5y5A13wiLitE..fyYkQzaxCw0Awzl kVHiIyCuaF4wj571pSzkv6sv+4IDMbT/XpCo8L6wTa..sh+etLD6FtTjYbb rvZ8RQM1tlKdoMHg2qxraAV++HNBYmNWs0duEdjUbJ..XI9TtnS4o1Ckj7P OfljiQIDAQABo4HnMIHkMB0GA1UdDgQWBBQ8urMCRL..5AkIp9NJHJw5TCB tAYDVR0jBIGsMIGpgBQ8urMCRLYYMHUKU5AkIp9NJH..aSBijCBhzELMAkG A1UEBhMCR0IxEzARBgNVBAgTClNvbWUtU3RhdGUxFD..AoTC0Jlc3QgQ0Eg THRkMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcm..ENlcnRpZmljYXRp b24gQXV0aG9yaXR5MRQwEgYDVQQDEwtCZXN0IENBIE..DAMBgNVHRMEBTAD AQH/MA0GCSqGSIb3DQEBBAUAA4IBAQC1uYBcsSncwA..DCsQer772C2ucpX xQUE/C0pWWm6gDkwd5D0DSMDJRqV/weoZ4wC6B73f5..bLhGYHaXJeSD6Kr XcoOwLdSaGmJYslLKZB3ZIDEp0wYTGhgteb6JFiTtn..sf2xdrYfPCiIB7g BMAV7Gzdc4VspS6ljrAhbiiawdBiQlQmsBeFz9JkF4..b3l8BoGN+qMa56Y It8una2gY4l2O//on88r5IWJlm1L0oA8e4fR2yrBHX..adsGeFKkyNrwGi/ 7vQMfXdGsRrXNGRGnX+vWDZ3/zWI0joDtCkNnqEpVn..HoX -----END CERTIFICATE----- kind: Secret metadata: name: ca-certs namespace: px-backupPass the secret name to the chart using
--set caCertsSecretName=<SECRET_NAME>flag.
Expose Portworx Backup user interface on openshift routes and access using
httpandhttps:- Create a single route with hostname and path
/and point it to thepx-central-uiservice. - Access Portworx Backup UI using route endpoint.
- Create a single route with hostname and path
/auth and /grafana.
Portworx Enterprise
The configuration to Portworx Enterprise depends on how you deployed it. For more information, refer to Certificates as Kubernetes Secrets.