Allow self-signed certificate TLS-URL in endpointUrl for S3-Backups

If I’m using a custom endpointUrl within the Percona XtraDB Cluster Operator for S3-Backups in “PerconaXtraDBClusterBackups” (Custom Resource options), I receive the following error:
2021-05-12 09:07:10.455 INFO: [SST script] mc: Unable to initialize new alias from the provided credentials. Get “https://custom-domain.com/probe-bucket-sign-oythtghtc3vy/?location=”: x509: certificate signed by unknown authority.

How can I accept self signed TLS certificates? We are hosting our own S3 with our own self signed certificate from our own Root-CA.
Is there any way to allow “insecure” certificates or add some custom truststore?

Hello @mygov ,

thank you for submitting it. Yeah, it is a good one

To make it work there are two options:

1. add --insecure flag to minio client (mc). Right now it is not possible to pass it through the Operator. I captured it in this improvement ticket in JIRA: [K8SPXC-752] Allow disabling TLS when taking backups - Percona JIRA.
2. Copy your CA cert to trust it to .mc/certs/CAs. Also manual step.

@Sergey_Pronin - I am now having the same issue as the OP. Can you elaborate on how you add the above two manual changes? Which running container can I make the changes to?
Thanks

@Sergey_Pronin
You mentioned to add the CA cert to .minio/certs/CAs.
But the config written by run_backup.sh creates it dynamically in /tmp.
So no way to add it there, unfortunately.
To add --insecure the script has to be changed, too.

Ah, good catch. Yeah, probably we need to wait for insecure flag then. It is going to be shipped in 1.11.0 somewhere in Q1 (we are shipping 1.10 release in Q4, but this feature is not there).

@Sergey_Pronin
I ended up creating a new image and imported the self signed cert into it. Not a huge effort, but still a pain. While I appreciate the idea of an insecure flag, will you also provide a way to import certs as well?

any workaround for percona backup mongodb in operator? same issue when use self-signed TLS of S3 storage server.

@wenjian in MongoDB we use PBM, which does not support this yet - it is either http or https with valid certificate.

We have this feature in our roadmap: [PBM-680] Skip TLS verification for object storage - Percona JIRA
Once PBM has this, it will be quite easy to add it into the Operator.

@Sergey_Pronin Any idea when we can expect PBM-680 to be completed and version 1.12 of the operator to be delivered? We are eagerly waiting on this so that we can use our on-premises S3 storage for MongoDB backups (using HTTPS).

@azam corresponding functionality was already merged into main branch of the operator: [K8SPSMDB-473] Allow to skip TLS verification for backup storage - Percona JIRA

1.12 should come out this month.

@Sergey_Pronin Thanks for your reply, I see that PBM 1.7 (including the implementation of PBM-680) was indeed released last month

Any update on the expected release of v1.12 of the operator?

@azam If we are talking about PSMDB operator release . We will have it today.

That’s the one indeed, thanks for the prompt reply!

@azam not sure if you saw - it is out: Percona Operator for MongoDB 1.12.0 Released

Would appreciate your feedback.

Yes I saw it indeed, thanks for the heads-up