Configure PX-Backup using an S3 object store with TLS enabled


This topic explains how to configure PX-Backup with a secure S3 compatible object store having a self-signed certificate.

You need to configure the following components to add the secure S3 object store certificate. This configuration enables the components to perform the following tasks by accessing the S3 object store:

  • Stork: to back up Kubernetes resources
  • PX-Backup: to create backup locations in the UI
  • Portworx nodes: to back up Portworx volumes
NOTE: Configure Stork and install Portworx on all the clusters added in the PX-Backup UI.

The following sections explain how you can add the secure S3 object store certificate to each component:

Stork

You need to modify the Stork deployment file to add a secret mount with the custom certificate, and then add an environment variable pointing to the secret mount.

  • Create a secret in the kube-system namespace with the S3 object store certificate, assuming the file public.crt contains the certificate:

    kubectl -n kube-system create secret generic px-s3-certs --from-file=public.crt

After performing the above task, you can deploy Stork using any one of the two methods specified below:

1. Portworx operator method with storage cluster - stc:

  • Update the stork section of stc spec with the following configuration settings:

     spec:
       stork:
        enabled: true
        env:
        - name: AWS_CA_BUNDLE
          value: /etc/pwx/s3cert/public.crt
        - name: SSL_CERT_DIR
          value: /etc/pwx/s3cert
        volumes:
        - mountPath: /etc/pwx/s3cert
          name: px-s3-certs
          secret:
            items:
            - key: public.crt
              path: public.crt
            secretName: px-s3-certs

2. Directly applying stork.spec by modifying the Stork deployment:

To modify the Stork deployment, perform the below steps.

  • Edit the Stork deployment:

    kubectl edit deployment stork -n kube-system
  • Add AWS_CA_BUNDLE and SSL_CERT_DIR environment variables:

    env:
    - name: PX_SERVICE_NAME
      value: portworx-api
    - name: AWS_CA_BUNDLE
      value: /etc/pwx/s3cert/public.crt
    - name: SSL_CERT_DIR
      value: /etc/pwx/s3cert
  • Add volume mounts:

    volumeMounts:
    - mountPath: /etc/pwx/s3cert
      name: px-s3-certs
  • Add a volume:

    volumes:
    - name: px-s3-certs
      secret:
        defaultMode: 420
        secretName: px-s3-certs
  • Save the changes and wait for the Stork pods to restart.

PX-Backup

To configure the PX-Backup deployment specification:

  1. Create a secret in the central namespace with the S3 object store certificate, assuming the file public.crt contains the certificate:

    kubectl create ns central
    kubectl -n central create secret generic px-s3-certs --from-file=public.crt
  2. Set the following parameter with the install or upgrade command with helm:

    --set caCertsSecretName=px-s3-certs

    Above command adds the parameter SSL_CERT_DIR to the backup deployment.

    If you have added this parameter manually, delete the cronjob and then restart the PX-Backup pod by executing the following commands:

    kubectl -n <px-backup-namespace> get cronjob | grep ^full-main | awk '{print $1}' | xargs kubectl -n <px-backup-namespace> delete cronjob
    kubectl -n <px-backup-namespace> get cronjob | grep ^quick-main | awk '{print $1}' | xargs kubectl -n <px-backup-namespace> delete cronjob
    kubectl delete pods -n <px-backup-namespace> <px-backup-pod-name>

    Example:

    kubectl -n central get cronjob | grep ^full-main | awk '{print $1}' | xargs kubectl -n central delete cronjob
    kubectl -n central get cronjob | grep ^quick-main | awk '{print $1}' | xargs kubectl -n central delete cronjob
    kubectl delete pods -n px-backup px-backup-f56cdcbd9-rvb65

For more information on installation and upgrade of PX-Backup, refer to Install PX-Backup and Upgrade PX-Backup sections respectively.

You can configure PX-Backup by creating a secret on the same namespace where you deploy PX-Backup, and set the caCertsSecretName parameter:

  1. Configure custom CA certificate:

    • Create a secret with CA certificates into the release namespace. For example:

      apiVersion: v1
      stringData:
      ca.crt: |
      -----BEGIN CERTIFICATE-----
      MIIEczCCA1ugAwIBAgIBADANBgkqhkiG9w0BAQQFAD..AkGA1UEBhMCR0Ix
      EzARBgNVBAgTClNvbWUtU3RhdGUxFDASBgNVBAoTC0..0EgTHRkMTcwNQYD
      VQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcn..XRpb24gQXV0aG9y
      aXR5MRQwEgYDVQQDEwtCZXN0IENBIEx0ZDAeFw0wMD..TUwMTZaFw0wMTAy
      MDQxOTUwMTZaMIGHMQswCQYDVQQGEwJHQjETMBEGA1..29tZS1TdGF0ZTEU
      MBIGA1UEChMLQmVzdCBDQSBMdGQxNzA1BgNVBAsTLk..DEgUHVibGljIFBy
      aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFD..AMTC0Jlc3QgQ0Eg
      THRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg..Tz2mr7SZiAMfQyu
      vBjM9OiJjRazXBZ1BjP5CE/Wm/Rr500PRK+Lh9x5eJ../ANBE0sTK0ZsDGM
      ak2m1g7oruI3dY3VHqIxFTz0Ta1d+NAjwnLe4nOb7/..k05ShhBrJGBKKxb
      8n104o/5p8HAsZPdzbFMIyNjJzBM2o5y5A13wiLitE..fyYkQzaxCw0Awzl
      kVHiIyCuaF4wj571pSzkv6sv+4IDMbT/XpCo8L6wTa..sh+etLD6FtTjYbb
      rvZ8RQM1tlKdoMHg2qxraAV++HNBYmNWs0duEdjUbJ..XI9TtnS4o1Ckj7P
      OfljiQIDAQABo4HnMIHkMB0GA1UdDgQWBBQ8urMCRL..5AkIp9NJHJw5TCB
      tAYDVR0jBIGsMIGpgBQ8urMCRLYYMHUKU5AkIp9NJH..aSBijCBhzELMAkG
      A1UEBhMCR0IxEzARBgNVBAgTClNvbWUtU3RhdGUxFD..AoTC0Jlc3QgQ0Eg
      THRkMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcm..ENlcnRpZmljYXRp
      b24gQXV0aG9yaXR5MRQwEgYDVQQDEwtCZXN0IENBIE..DAMBgNVHRMEBTAD
      AQH/MA0GCSqGSIb3DQEBBAUAA4IBAQC1uYBcsSncwA..DCsQer772C2ucpX
      xQUE/C0pWWm6gDkwd5D0DSMDJRqV/weoZ4wC6B73f5..bLhGYHaXJeSD6Kr
      XcoOwLdSaGmJYslLKZB3ZIDEp0wYTGhgteb6JFiTtn..sf2xdrYfPCiIB7g
      BMAV7Gzdc4VspS6ljrAhbiiawdBiQlQmsBeFz9JkF4..b3l8BoGN+qMa56Y
      It8una2gY4l2O//on88r5IWJlm1L0oA8e4fR2yrBHX..adsGeFKkyNrwGi/
      7vQMfXdGsRrXNGRGnX+vWDZ3/zWI0joDtCkNnqEpVn..HoX
      -----END CERTIFICATE-----
      kind: Secret
      metadata:
        name: ca-certs
        namespace: px-backup
    • Pass the secret name to the chart using --set caCertsSecretName=<SECRET_NAME> flag.

  2. Expose PX-Backup UI on openshift routes and access using http and https:

    • Create a single route with hostname and path / and point it to the px-central-ui service.
    • Access PX-Backup UI using route endpoint.
NOTE: Keycloak authentication and Grafana UI are accessible on the same endpoint on different paths: /auth and /grafana.

Portworx Enterprise

The configuration to Portworx Enterprise depends on how you deployed it. For more information, refer to Certificates as Kubernetes Secrets.


Last edited: Monday, Oct 3, 2022