Configure Certificates
To securely integrate Portworx Backup with TLS-enabled services, two key configurations are required: enabling encrypted communication with S3-compatible object stores and setting up trusted certificate authority (CA) certificates for identity providers in Keycloak. For S3 integration, a TLS certificate for the object store must be added as a Kubernetes Secret in the Portworx Backup central Namespace. During Portworx Backup installation or upgrade via Helm, this Secret is referenced using the caCertsSecretName parameter. This ensures the Portworx Backup Pod recognizes and trusts the S3 endpoint’s certificate by setting appropriate environment variables such as SSL_CERT_DIR. Additional components such as Stork and Portworx Enterprise Nodes must also be configured to mount the same Secret and use the appropriate environment variables to establish secure S3 communication across the backup ecosystem.
Similarly, when using Keycloak (bundled with Portworx Backup) to integrate with external identity providers such as OIDC or LDAP, Portworx Backup must be configured to trust those providers’ TLS certificates. This is achieved by creating a Kubernetes Secret containing the external provider’s public certificate and referencing it via the same caCertsSecretName parameter during Helm deployment or upgrade. This certificate is mounted into the Keycloak container so it can establish secure and validated connections with identity systems. After this configuration, restart the Portworx Backup components and delete existing CronJobs to ensure the changes take effect. Together, these configurations establish a trusted and encrypted environment for both data transfer and identity validation within Portworx Backup.