Skip to main content
Version: 2.8

Configure Portworx Backup for S3 object store

Learn how to configure Portworx Backup with an S3 object store secured using TLS. This topic outlines the process of adding S3 object store certificates to your deployment, configuring custom CA certificates, and properly setting up the environment for secure backups. Whether you are deploying for the first time or updating an existing configuration, these steps ensure a seamless integration with TLS-enabled S3 storage.

You will also find instructions on setting up OpenShift routes to access the Portworx Backup web interface securely and details on managing related services like Keycloak and Grafana through a unified endpoint. This guide is tailored for users prioritizing secure data handling in their cloud-native environments.

Configure Portworx Backup

To configure the Portworx Backup deployment specification:

  1. Create a secret in the central namespace with the S3 object store certificate, assuming the file public.crt contains the certificate:

    kubectl create ns central
    kubectl -n central create secret generic px-s3-certs --from-file=public.crt

  2. Set the following parameter with the installation or upgrade command with helm:

    --set caCertsSecretName=px-s3-certs

    Above command adds the parameter SSL_CERT_DIR to the backup deployment.

    If you have added this parameter manually, delete the cronjob and then restart the Portworx Backup pod by executing the following commands:

    kubectl -n <px-backup-namespace> get cronjob | grep ^full-main | awk '{print $1}' | xargs kubectl -n <px-backup-namespace> delete cronjob
    kubectl -n <px-backup-namespace> get cronjob | grep ^quick-main | awk '{print $1}' | xargs kubectl -n <px-backup-namespace> delete cronjob
    kubectl delete pods -n <px-backup-namespace> <px-backup-pod-name>

    Example:

    kubectl -n px-backup get cronjob | grep ^full-main | awk '{print $1}' | xargs kubectl -n px-backup delete cronjob
    kubectl -n px-backup get cronjob | grep ^quick-main | awk '{print $1}' | xargs kubectl -n px-backup delete cronjob
    kubectl delete pods -n px-backup px-backup-f56cdcbd9-rvb65

    For more information on installation and upgrade of Portworx Backup, refer to Install Portworx Backup and Upgrade Portworx Backup sections respectively.

Alternatively, you can configure Portworx Backup by creating a secret on the same namespace where you deploy Portworx Backup, and set the caCertsSecretName parameter:

  1. Configure custom CA certificate:

    a. Create a secret with CA certificates into the release namespace.
    For example:

    apiVersion: v1
    stringData:
      ca.crt: |
        -----BEGIN CERTIFICATE-----
        MIIEczCCA1ugAwIBAgIBADANBgkqhkiG9w0BAQQFAD..AkGA1UEBhMCR0Ix
        EzARBgNVBAgTClNvbWUtU3RhdGUxFDASBgNVBAoTC0..0EgTHRkMTcwNQYD
        VQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcn..XRpb24gQXV0aG9y
        aXR5MRQwEgYDVQQDEwtCZXN0IENBIEx0ZDAeFw0wMD..TUwMTZaFw0wMTAy
        MDQxOTUwMTZaMIGHMQswCQYDVQQGEwJHQjETMBEGA1..29tZS1TdGF0ZTEU
        MBIGA1UEChMLQmVzdCBDQSBMdGQxNzA1BgNVBAsTLk..DEgUHVibGljIFBy
        aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFD..AMTC0Jlc3QgQ0Eg
        THRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg..Tz2mr7SZiAMfQyu
        vBjM9OiJjRazXBZ1BjP5CE/Wm/Rr500PRK+Lh9x5eJ../ANBE0sTK0ZsDGM
        ak2m1g7oruI3dY3VHqIxFTz0Ta1d+NAjwnLe4nOb7/..k05ShhBrJGBKKxb
        8n104o/5p8HAsZPdzbFMIyNjJzBM2o5y5A13wiLitE..fyYkQzaxCw0Awzl
        kVHiIyCuaF4wj571pSzkv6sv+4IDMbT/XpCo8L6wTa..sh+etLD6FtTjYbb
        rvZ8RQM1tlKdoMHg2qxraAV++HNBYmNWs0duEdjUbJ..XI9TtnS4o1Ckj7P
        OfljiQIDAQABo4HnMIHkMB0GA1UdDgQWBBQ8urMCRL..5AkIp9NJHJw5TCB
        tAYDVR0jBIGsMIGpgBQ8urMCRLYYMHUKU5AkIp9NJH..aSBijCBhzELMAkG
        A1UEBhMCR0IxEzARBgNVBAgTClNvbWUtU3RhdGUxFD..AoTC0Jlc3QgQ0Eg
        THRkMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcm..ENlcnRpZmljYXRp
        b24gQXV0aG9yaXR5MRQwEgYDVQQDEwtCZXN0IENBIE..DAMBgNVHRMEBTAD
        AQH/MA0GCSqGSIb3DQEBBAUAA4IBAQC1uYBcsSncwA..DCsQer772C2ucpX
        xQUE/C0pWWm6gDkwd5D0DSMDJRqV/weoZ4wC6B73f5..bLhGYHaXJeSD6Kr
        XcoOwLdSaGmJYslLKZB3ZIDEp0wYTGhgteb6JFiTtn..sf2xdrYfPCiIB7g
        BMAV7Gzdc4VspS6ljrAhbiiawdBiQlQmsBeFz9JkF4..b3l8BoGN+qMa56Y
        It8una2gY4l2O//on88r5IWJlm1L0oA8e4fR2yrBHX..adsGeFKkyNrwGi/
        7vQMfXdGsRrXNGRGnX+vWDZ3/zWI0joDtCkNnqEpVn..HoX
        -----END CERTIFICATE-----
    kind: Secret
    metadata:
      name: ca-certs
      namespace: px-backup

    b. Pass the secret name to the chart using --set caCertsSecretName=<SECRET_NAME> flag.

  2. Expose Portworx Backup user interface on openshift routes and access using http and https:

    a. Create a single route with hostname and path / and point it to the px-central-ui service.
    b. Access Portworx Backup web console using route endpoint.

    note

    Keycloak authentication and Grafana UI are accessible on the same endpoint on different paths: /auth and /grafana.

Last updated on