Skip to main content
Version: 2.11

Enable Mutual TLS

To enable mutual TLS (mTLS) for Portworx Backup, ensure that you perform the following actions:

  1. Install Istio on the cluster where you deploy Portworx Backup with the following parameters set to true:

    meshConfig.defaultConfig.holdApplicationUntilProxyStarts=true
    values.pilot.env.ENABLE_NATIVE_SIDECARS=true

  2. Label Portworx Backup deployed namespace:

  • Istio sidecar mode:

    kubectl label namespace <pxb-namespace> istio-injection=enabled --overwrite

    This command labels <pxb-namespace> to inject sidecar proxy required for mTLS.

    Here <pxb-namespace> is the namespace where you have deployed PXB.

    note

    After labeling the namespace, existing Portworx Backup pods must be restarted for Istio injection to take effect. Run the following command to restart them:

    kubectl rollout restart deployment -n <pxb-namespace>

    Without this restart, mTLS will not be applied to already-running pods.

  • Istio ambient mode:

    kubectl label namespace <pxb-namespace> istio.io/dataplane-mode=ambient --overwrite

    For OpenShift cluster only, run the following command to enable host routing:

    oc patch network.operator/cluster --type merge -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"gatewayConfig":{"routingViaHost":true}}}}}'
    caution

    When multiple applications are configured to use the same base path (such as /), Istio cannot determine which service should handle incoming traffic. To avoid routing conflicts during the px-backup deployment, update the hostname using the istio.hostName helm parameter. For more information, see Configure a dedicated hostname for Portworx Backup UI with Istio section. You can perform these steps either before or after the installation of Portworx Backup, depending on your setup. This configuration is applicable for Istio sidecar mode only.

Enable mTLS Using Linkerd

note

Linkerd is not supported on OpenShift (OCP). Use Istio for mTLS on OpenShift clusters.

To enable mTLS for Portworx Backup when using the Linkerd service mesh, perform the following steps:

  1. Install linkerd with the following parameter set to true:

    proxyInit.runAsRoot=true

  2. Annotate Portworx Backup deployed namespace to inform Linkerd to inject linkerd-proxy required for mTLS:

    kubectl annotate ns <pxb-namespace> linkerd.io/inject=enabled

  3. Annotate the namespace for Kubernetes native sidecar support so that Linkerd sidecar proxy container can run and shut down gracefully without causing any issues:

    kubectl annotate ns <pxb-namespace> config.alpha.linkerd.io/proxy-enable-native-sidecar=true
Last updated on