Configure PX-Backup using an internal S3 object store with TLS enabled

This topic explains how you can configure PX-Backup to use with an internal and secure S3 compatible object store.

You need to configure the following components to add the secure S3 object store certificate. This configuration enables the components to perform the following tasks by accessing the S3 object store:

• Stork: to backup Kubernetes resources
• PX-Backup: to create backup locations in the UI
• Portworx nodes: to backup Portworx volumes

The following sections explain how you can add the secure S3 object store certificate to each component:

Stork

You need to modify the Stork deployment file to add a secret mount with the custom certificate, and then add an environment variable pointing to the secret mount.

To remove Stork from the storage cluster, edit the storage cluster resource and set the stork option to false. Then you can deploy a standalone version of Stork using the following command:

```text curl -fsL -o stork-spec.yaml “https://install.portworx.com/2.8?comp=stork&storkNonPx=true" kubectl apply -f stork-spec.yaml

To modify Stork deployment:

1. Create a secret in the kube-system namespace with the S3 object store certificate, assuming the file public.crt contains the certificate:

   kubectl -n kube-system create secret generic px-s3-certs --from-file=public.crt

2. Edit the stork deployment:

   kubectl -n kube-system

3. Add an environment variable AWS_CA_BUNDLE:

   env:
   -name: PX_SERVICE_NAME
   value: portworx-api
   -name: AWS_CA_BUNDLE
   value: /etc/pwx/s3cert/public.crt

4. Add a volume mounts:

   volumeMounts:
   -mountPath: /etc/pwx/s3cert
   name: px-s3-certs

5. Add a volume:

   volumes:
     -name: px-s3-certs
     secret:
       defaultMode: 420
       secretName: px-s3-certs

6. Save the changes, and wait for the Stork pods to restart.

PX-Backup

To configure the PX-Backup deployment specification:

1. Create a secret in the central namespace with the S3 object store certificate, assuming the file public.crt contains the certificate:

   kubectl -n central create secret generic px-s3-certs --from-file=public.crt

2. Edit the PX-Backup deployment:

   kubectl -n central

3. Add an environment variable AWS_CA_BUNDLE:

   env:
   -name: PX_SERVICE_NAME
   value: portworx-api
   -name: AWS_CA_BUNDLE
   value: /etc/pwx/s3cert/public.crt

4. Add a volume mounts:

   volumeMounts:
   -mountPath: /etc/pwx/s3cert
   name: px-s3-certs

5. Add a volume:

   volumes:
     -name: px-s3-certs
     secret:
       defaultMode: 420
       secretName: px-s3-certs

You can configure PX-Backup by creating a secret on the same namespace where you deploy PX-Backup, and set the caCertsSecretName parameter:

1. Configure custom CA certificate:

   • Create a secret with CA certificates into the release namespace. For example:

     apiVersion: v1
     stringData:
     ca.crt: |
       -----BEGIN CERTIFICATE-----
       MIIEczCCA1ugAwIBAgIBADANBgkqhkiG9w0BAQQFAD..AkGA1UEBhMCR0Ix
       EzARBgNVBAgTClNvbWUtU3RhdGUxFDASBgNVBAoTC0..0EgTHRkMTcwNQYD
       VQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcn..XRpb24gQXV0aG9y
       aXR5MRQwEgYDVQQDEwtCZXN0IENBIEx0ZDAeFw0wMD..TUwMTZaFw0wMTAy
       MDQxOTUwMTZaMIGHMQswCQYDVQQGEwJHQjETMBEGA1..29tZS1TdGF0ZTEU
       MBIGA1UEChMLQmVzdCBDQSBMdGQxNzA1BgNVBAsTLk..DEgUHVibGljIFBy
       aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFD..AMTC0Jlc3QgQ0Eg
       THRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg..Tz2mr7SZiAMfQyu
       vBjM9OiJjRazXBZ1BjP5CE/Wm/Rr500PRK+Lh9x5eJ../ANBE0sTK0ZsDGM
       ak2m1g7oruI3dY3VHqIxFTz0Ta1d+NAjwnLe4nOb7/..k05ShhBrJGBKKxb
       8n104o/5p8HAsZPdzbFMIyNjJzBM2o5y5A13wiLitE..fyYkQzaxCw0Awzl
       kVHiIyCuaF4wj571pSzkv6sv+4IDMbT/XpCo8L6wTa..sh+etLD6FtTjYbb
       rvZ8RQM1tlKdoMHg2qxraAV++HNBYmNWs0duEdjUbJ..XI9TtnS4o1Ckj7P
       OfljiQIDAQABo4HnMIHkMB0GA1UdDgQWBBQ8urMCRL..5AkIp9NJHJw5TCB
       tAYDVR0jBIGsMIGpgBQ8urMCRLYYMHUKU5AkIp9NJH..aSBijCBhzELMAkG
       A1UEBhMCR0IxEzARBgNVBAgTClNvbWUtU3RhdGUxFD..AoTC0Jlc3QgQ0Eg
       THRkMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcm..ENlcnRpZmljYXRp
       b24gQXV0aG9yaXR5MRQwEgYDVQQDEwtCZXN0IENBIE..DAMBgNVHRMEBTAD
       AQH/MA0GCSqGSIb3DQEBBAUAA4IBAQC1uYBcsSncwA..DCsQer772C2ucpX
       xQUE/C0pWWm6gDkwd5D0DSMDJRqV/weoZ4wC6B73f5..bLhGYHaXJeSD6Kr
       XcoOwLdSaGmJYslLKZB3ZIDEp0wYTGhgteb6JFiTtn..sf2xdrYfPCiIB7g
       BMAV7Gzdc4VspS6ljrAhbiiawdBiQlQmsBeFz9JkF4..b3l8BoGN+qMa56Y
       It8una2gY4l2O//on88r5IWJlm1L0oA8e4fR2yrBHX..adsGeFKkyNrwGi/
       7vQMfXdGsRrXNGRGnX+vWDZ3/zWI0joDtCkNnqEpVn..HoX
       -----END CERTIFICATE-----
     kind: Secret
     metadata:
     name: ca-certs
     namespace: px-backup

   • Pass the secret name to the chart using --set caCertsSecretName=<SECRET_NAME> flag.
     

2. Expose PX-Backup UI on openshift routes and access using http and https:

   • Create a single route with hostname and path / and point it to the px-central-ui service.
   • Access PX-Backup UI using route endpoint.

Portworx Enterprise

The configuration to Portworx Enterprise depends on how you deployed it. If you deployed using the:

• Portworx daemonset: follow steps 1 to 5 in the Stork section by specifying the appropriate Portworx Enterprise namespace values.
• Portworx operator: manually add the certificate on each Portworx node

To configure Portworx Enterprise:

1. Add the certificate to all Portworx nodes. For example, if the public.crt file name contains the certificate, then copy it to all nodes in the following location:

   /etc/pwx/s3certs/public.crt 

   You may need to create the s3certs directory, but ensure you copy the certificate to a directory under /etc/pwx, since this directory is host mounted in the Portworx container.

2. Edit the storage cluster resource and add an environment variable pointing the directory created above:

   spec:
      env:
     -name: "AWS_CA_BUNDLE"
      value: "/etc/pwx/s3certs/public.crt"