Configure Certificates

To securely integrate Portworx Backup (PXB) with TLS-enabled services, two key configurations are essential: enabling encrypted communication with S3-compatible object stores and setting up trusted certificate authority (CA) certificates for identity providers in Keycloak. For the S3 integration, a TLS certificate for the object store must be added as a Kubernetes secret in the PXB central namespace. During PXB installation or upgrade via Helm, this secret is referenced using the caCertsSecretName parameter. This ensures the PXB pod recognizes and trusts the S3 endpoint’s certificate by setting appropriate environment variables like SSL_CERT_DIR. Additional components like Stork and Portworx Enterprise nodes must also be configured to mount the same secret and use the appropriate environment variables to establish secure S3 communication across the backup ecosystem.

Similarly, when using Keycloak (bundled with PXB) to integrate with external identity providers such as OIDC or LDAP, PXB must be configured to trust those providers’ TLS certificates. This is achieved by creating a Kubernetes secret containing the external provider's public certificate and referencing it via the same caCertsSecretName parameter during Helm deployment or upgrade. This certificate is mounted into the Keycloak container so it can establish secure and validated connections with identity systems. After setting this up, restarting the PXB components and deleting existing cronjobs ensures the changes take effect. Together, these configurations establish a trusted and encrypted environment for both data transfer and identity validation within Portworx Backup.