Skip to content

K8SPXC-1332 | Allow specifying caBundle for backup storage connection #2213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hors merged 34 commits into from
Nov 5, 2025
Merged

K8SPXC-1332 | Allow specifying caBundle for backup storage connection #2213

hors merged 34 commits into from
Nov 5, 2025

Conversation

@mayankshah1607
Copy link
Member

@mayankshah1607 mayankshah1607 commented Oct 9, 2025
edited
Loading

K8SPXC-1332 Powered by Pull Request Badge

CHANGE DESCRIPTION

Problem:

Backups and restores against S3 endpoints served over HTTPS with private/internal certificates fail unless TLS verification is disabled, which weakens security by forcing verifyTLS=false and bypassing server identity checks.

Solution:

Introduce a configurable caBundle for S3 storage so clients can verify TLS using a trusted CA without disabling SSL verification.

Example backup storage

storages:
  minio-s3:
    type: s3
    verifyTLS: true
    s3:
      caBundle:
         name: minio-ca-bundle
         key: tls.crt

CHECKLIST

Jira

  • Is the Jira ticket created and referenced properly?
  • Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
  • Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

  • Is an E2E test/test case added for the new feature/change?
  • Are unit tests added where appropriate?
  • Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

  • Are all needed new/changed options added to default YAML files?
  • Are all needed new/changed options added to the Helm Chart?
  • Did we add proper logging messages for operator actions?
  • Did we ensure compatibility with the previous version or cluster upgrade process?
  • Does the change support oldest and newest supported PXC version?
  • Does the change support oldest and newest supported Kubernetes version?

@pull-request-size pull-request-size bot added the size/L 100-499 lines label Oct 9, 2025
@mayankshah1607 mayankshah1607 changed the title K8SPXC-1332 | [WIP] Allow specifying caBundle for backup storage connection K8SPXC-1332 | Allow specifying caBundle for backup storage connection Oct 15, 2025
@mayankshah1607 mayankshah1607 marked this pull request as ready for review October 15, 2025 09:18
hors
hors requested changes Oct 20, 2025
View reviewed changes
gkech
gkech reviewed Oct 23, 2025
View reviewed changes
@mayankshah1607
remove inline string
5abc281 
Signed-off-by: Mayank Shah <[email protected]>
@mayankshah1607
refactor
58e2401 
Signed-off-by: Mayank Shah <[email protected]>
@mayankshah1607
add e2e test
38c7a84 
Signed-off-by: Mayank Shah <[email protected]>
@mayankshah1607
rename test
ab65094 
Signed-off-by: Mayank Shah <[email protected]>
egegunes
egegunes requested changes Oct 29, 2025
View reviewed changes
@egegunes
Copy link
Contributor

egegunes commented Oct 29, 2025

ok, let's wait for test results

@mayankshah1607
add to run
b0ca154 
Signed-off-by: Mayank Shah <[email protected]>
@mayankshah1607
Copy link
Member Author

mayankshah1607 commented Oct 30, 2025

@egegunes the test fails in the create_infra function, but I don't see any errors on the logs.. I have no trouble getting it to pass locally. I've copied most of it from the pitr test. Any idea what am I missing? 🤔

@egegunes
Copy link
Contributor

egegunes commented Oct 30, 2025

@mayankshah1607 tests are run in cluster wide mode on jenkins. you can run the test with cluster wide by setting OPERATOR_NS=pxc-operator env variable locally.

github-actions[bot]
github-actions bot reviewed Oct 31, 2025
View reviewed changes
e2e-tests/backup-storage-tls/run
Comment on lines +75 to +76
sed "s/#namespace/$namespace/g" $test_dir/conf/cert.yml |
kubectl_bin apply -f "-"
Copy link
Contributor

@github-actions github-actions bot Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[shfmt] reported by reviewdog 🐶

Suggested change
sed "s/#namespace/$namespace/g" $test_dir/conf/cert.yml |
kubectl_bin apply -f "-"
sed "s/#namespace/$namespace/g" $test_dir/conf/cert.yml \
| kubectl_bin apply -f "-"

e2e-tests/backup-storage-tls/run
sed "s/#namespace/$namespace/g" $test_dir/conf/cert.yml |
kubectl_bin apply -f "-"
sleep 30 # wait for the certificates to be issued

Copy link
Contributor

@github-actions github-actions bot Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[shfmt] reported by reviewdog 🐶

Suggested change

e2e-tests/backup-storage-tls/run
minio_cert_secret="minio-tls-certs"
start_minio "$minio_cert_secret"
cluster="test-cluster"

Copy link
Contributor

@github-actions github-actions bot Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[shfmt] reported by reviewdog 🐶

Suggested change

e2e-tests/backup-storage-tls/run
spinup_pxc "$cluster" "$test_dir/conf/$cluster.yml"

write_test_data "$cluster"

Copy link
Contributor

@github-actions github-actions bot Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[shfmt] reported by reviewdog 🐶

Suggested change

egegunes
egegunes previously approved these changes Oct 31, 2025
View reviewed changes
gkech
gkech previously approved these changes Nov 4, 2025
View reviewed changes
hors
hors reviewed Nov 4, 2025
View reviewed changes
Copy link
Collaborator

@hors hors left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mayankshah1607, please add these new options as a comment in deploy/cr.yaml file

#      caBundle:
#         name: minio-ca-bundle
#         key: tls.crt

@mayankshah1607 Did you create a PR for the Helm chart?

hors
hors reviewed Nov 4, 2025
View reviewed changes
build/backup/lib/pxc/aws.sh
AWS_S3_NO_VERIFY_SSL='--no-verify-ssl'
fi

caBundleDir="/etc/s3/certs"
Copy link
Collaborator

@hors hors Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope it will work for OpenShift

Copy link
Member Author

@mayankshah1607 mayankshah1607 Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't tried, but why won't it?

@mayankshah1607 mayankshah1607 dismissed stale reviews from egegunes and gkech via f9af231 November 5, 2025 08:28
@mayankshah1607 mayankshah1607 requested a review from hors November 5, 2025 08:50
@mayankshah1607
Copy link
Member Author

mayankshah1607 commented Nov 5, 2025

@hors helm chart PR, please review - percona/percona-helm-charts#688

@mayankshah1607
remove extra spaces
f9b155d 
Signed-off-by: Mayank Shah <[email protected]>
@JNKPercona
Copy link
Collaborator

JNKPercona commented Nov 5, 2025

Test Name Result Time
affinity-8-0 passed 00:06:03
auto-tuning-8-0 passed 00:19:02
backup-storage-tls-8-0 passed 00:21:38
cross-site-8-0 passed 00:34:49
custom-users-8-0 failure 00:09:02
demand-backup-cloud-8-0 passed 00:57:25
demand-backup-encrypted-with-tls-8-0 passed 00:44:20
demand-backup-8-0 passed 00:41:40
demand-backup-flow-control-8-0 passed 00:10:36
demand-backup-parallel-8-0 passed 00:08:43
demand-backup-without-passwords-8-0 passed 00:15:08
haproxy-5-7 passed 00:14:41
haproxy-8-0 passed 00:14:48
init-deploy-5-7 passed 00:16:42
init-deploy-8-0 passed 00:16:46
limits-8-0 passed 00:12:05
monitoring-2-0-8-0 passed 00:22:28
monitoring-pmm3-8-0 passed 00:17:35
one-pod-5-7 passed 00:14:28
one-pod-8-0 passed 00:14:07
pitr-8-0 passed 00:42:23
pitr-gap-errors-8-0 passed 00:56:06
proxy-protocol-8-0 passed 00:09:33
proxysql-sidecar-res-limits-8-0 passed 00:08:20
pvc-resize-5-7 passed 00:16:22
pvc-resize-8-0 passed 00:16:32
recreate-8-0 passed 00:17:17
restore-to-encrypted-cluster-8-0 passed 00:25:26
scaling-proxysql-8-0 passed 00:08:35
scaling-8-0 passed 00:10:51
scheduled-backup-5-7 passed 01:04:32
scheduled-backup-8-0 passed 01:03:10
security-context-8-0 passed 00:25:45
smart-update1-8-0 passed 00:33:31
smart-update2-8-0 passed 00:38:32
storage-8-0 passed 00:10:29
tls-issue-cert-manager-ref-8-0 passed 00:08:41
tls-issue-cert-manager-8-0 passed 00:11:24
tls-issue-self-8-0 passed 00:13:04
upgrade-consistency-8-0 passed 00:11:10
upgrade-haproxy-5-7 passed 00:26:28
upgrade-haproxy-8-0 passed 00:25:14
upgrade-proxysql-5-7 passed 00:16:01
upgrade-proxysql-8-0 passed 00:16:28
users-5-7 passed 00:24:33
users-8-0 passed 00:25:43
validation-hook-8-0 passed 00:01:48
Summary Value
Tests Run 47/47
Job Duration 02:43:26
Total Test Time 17:20:28

commit: f9b155d
image: perconalab/percona-xtradb-cluster-operator:PR-2213-f9b155d0

@hors hors merged commit 219dc7f into main Nov 5, 2025
15 of 16 checks passed
@hors hors deleted the K8SPXC-1332 branch November 5, 2025 16:17
@egegunes egegunes added this to the v1.19.0 milestone Dec 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@egegunes egegunes egegunes left review comments

@gkech gkech gkech left review comments

@pooknull pooknull Awaiting requested review from pooknull pooknull is a code owner

@nmarukovich nmarukovich Awaiting requested review from nmarukovich nmarukovich is a code owner

@jvpasinatto jvpasinatto Awaiting requested review from jvpasinatto jvpasinatto is a code owner

@eleo007 eleo007 Awaiting requested review from eleo007 eleo007 is a code owner

@valmiranogueira valmiranogueira Awaiting requested review from valmiranogueira valmiranogueira is a code owner

@hors hors Awaiting requested review from hors hors is a code owner

Assignees

No one assigned

Labels

size/XL 500-999 lines

Projects

None yet

Milestone

v1.19.0

Development

Successfully merging this pull request may close these issues.

6 participants

@mayankshah1607 @egegunes @JNKPercona @hors @gkech