Configure Stork and PXE for S3 object store
The following sections explain how you can add the secure S3 object store certificate to Stork and Portworx Enterprise component on application cluster:
Stork
You need to modify the Stork deployment file to add a secret mount with the custom certificate, and then add an environment variable pointing to the secret mount.
-
Create a secret in the namespace where Stork is deployed with the S3 object store certificate, assuming the file
public.crtcontains the certificate:kubectl -n <stork-deployed-namespace> create secret generic px-s3-certs --from-file=public.crt
After performing the above task, you can deploy Stork using any one of the two methods specified below:
1. Portworx operator method with storage cluster - stc:
- Update the stork section of stc spec with the following configuration settings:
spec:
stork:
enabled: true
env:
- name: AWS_CA_BUNDLE
value: /etc/pwx/s3cert/public.crt
- name: SSL_CERT_DIR
value: /etc/pwx/s3cert
volumes:
- mountPath: /etc/pwx/s3cert
name: px-s3-certs
secret:
items:
- key: public.crt
path: public.crt
secretName: px-s3-certs
2. Directly applying stork.spec by modifying the Stork deployment:
To modify the Stork deployment, perform the below steps.
-
Edit the Stork deployment:
kubectl edit deployment stork -n <stork-deployed-namespace> -
Add
AWS_CA_BUNDLEandSSL_CERT_DIRenvironment variables:env:
- name: PX_SERVICE_NAME
value: portworx-api
- name: AWS_CA_BUNDLE
value: /etc/pwx/s3cert/public.crt
- name: SSL_CERT_DIR
value: /etc/pwx/s3cert -
Add volume mounts:
volumeMounts:
- mountPath: /etc/pwx/s3cert
name: px-s3-certs -
Add a volume:
volumes:
- name: px-s3-certs
secret:
defaultMode: 420
secretName: px-s3-certs -
Save the changes and wait for the Stork pods to restart.
Portworx Enterprise
The configuration to Portworx Enterprise depends on how you deployed it. For more information, refer to Certificates as Kubernetes Secrets.