Skip to main content
Version: 3.0

Configure Stork and Portworx Enterprise for S3

Applicable to both Classic and Federated modes

The following sections explain how to add the secure S3 object store certificate to the Stork and Portworx Enterprise components on the application cluster:

Stork

Modify the Stork deployment file to add a secret mount with the custom certificate, and then add an environment variable pointing to the secret mount.

  • Create a secret in the namespace where Stork is deployed with the S3 object store certificate, assuming the file public.crt contains the certificate:

    kubectl -n <stork-namespace> create secret generic px-s3-certs --from-file=public.crt

After performing the above task, you can deploy Stork using one of the two methods below:

1. Portworx operator method with storage cluster - stc:

  • Update the stork section of stc spec with the following configuration settings:
       spec:
         stork:
           enabled: true
           env:
             - name: AWS_CA_BUNDLE
               value: /etc/pwx/s3cert/public.crt
             - name: SSL_CERT_DIR
               value: /etc/pwx/s3cert
           volumes:
             - name: px-s3-certs
               mountPath: /etc/pwx/s3cert
               secret:
                 secretName: px-s3-certs
                 items:
                   - key: public.crt
                     path: public.crt
caution

If Stork is deployed and managed by the Portworx Operator (via a StorageCluster resource), do not use Method 2. The Portworx Operator periodically reconciles the StorageCluster spec and will silently revert any manual edits made directly to the Stork deployment. Use Method 1 (StorageCluster spec) for all Operator-managed deployments.

2. Directly applying stork.spec by modifying the Stork deployment:

To modify the Stork deployment, perform the following steps.

  • Edit the Stork deployment:

    kubectl edit deployment stork -n <stork-namespace>

  • Add AWS_CA_BUNDLE and SSL_CERT_DIR environment variables:

    env:
    - name: PX_SERVICE_NAME
      value: portworx-api
    - name: AWS_CA_BUNDLE
      value: /etc/pwx/s3cert/public.crt
    - name: SSL_CERT_DIR
      value: /etc/pwx/s3cert

  • Add volume mounts:

    volumeMounts:
    - mountPath: /etc/pwx/s3cert
      name: px-s3-certs

  • Add a volume:

    volumes:
    - name: px-s3-certs
      secret:
        defaultMode: 420
        secretName: px-s3-certs

  • Save the changes and wait for the Stork Pods to restart.

Portworx Enterprise

The configuration to Portworx Enterprise depends on how you deployed it. For more information, see Certificates as Kubernetes Secrets.

Last updated on