Operator-pbm-ctl is connecting with server certificate

Hi wonderful people at percona

I have psmdb backup running with TLS on my kubernetes cluster with percona operator. I have configured secrets.ssl (for the server) and secrets.sslInternal (for the clients) to two different secrets, each which it’s own certificate:

spec:
image: percona/percona-server-mongodb:8.0.17-6
imagePullPolicy: IfNotPresent

tls:
mode: preferTLS

secrets:
users: dbuser-secrets
ssl: psmdb-certificate
sslInternal: psmdb-internal-certificate

Technically, everything works, however, since I enabled TLS, I am getting warnings in mongod.log and the logfile grows a few 100mb each day.

{“t”:{“$date”:“2026-06-09T10:54:50.347+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:6723804, “ctx”:“conn1150674”,“msg”:“Ingress TLS handshake complete”,“attr”:{“durationMillis”:16}}
{“t”:{“$date”:“2026-06-09T10:54:50.350+00:00”},“s”:“W”, “c”:“NETWORK”, “id”:23236, “ctx”:“conn1150674”,“msg”:“Client connecting with server’s own TLS certificate”}
{“t”:{“$date”:“2026-06-09T10:54:50.350+00:00”},“s”:“I”, “c”:“ACCESS”, “id”:6788604, “ctx”:“conn1150674”,“msg”:“Auth metrics report”,“attr”:{“metric”:“acquireUser”,“micros”:0}}
{“t”:{“$date”:“2026-06-09T10:54:50.358+00:00”},“s”:“I”, “c”:“ACCESS”, “id”:5286306, “ctx”:“conn1150674”,“msg”:“Successfully
authenticated”,“attr”:{“client”:“192.168.1.100:51756”,“isSpeculative”:true,“isClusterMember”:false,“mechanism”:“SCRAM-SHA-256”,“user”:“backup”,“db”:“admin”,“result”:0,“metrics”:{“conversation_duration”:{“micros”:7444,“summary”:{“0”:{“step”:1,“step_total”:2,“duration_micros”:2715},“1”:{“st
ep”:2,“step_total”:2,“duration_micros”:19}}}},“doc”:{“application”:{“name”:“operator-pbm-ctl”},“driver”:{“name”:“mongo-go-driver”,“version”:“1.17.9”},“os”:{“type”:“linux”,“architecture”:“amd64”},“platform”:“go1.25.7”,“env”:{“container”:{“orchestrator”:“kubernetes”}}},“extraInfo”:{}}}
{“t”:{“$date”:“2026-06-09T10:54:50.360+00:00”},“s”:“I”, “c”:“NETWORK”, “id”:6788700, “ctx”:“conn1150674”,“msg”:“Received first command on ingress connection since session start or auth handshake”,“attr”:{“elapsedMillis”:2}}

It seems that PBM is not taking the secret configured in sslInternal and instead uses the server certificate. Can it be configured so that it uses the client certificate configured in sslInternal?

Thanks for your help & kind regards,

raphael

Hi Raphael, if I am understanding this correctly, the problem is:

“Client connecting with server’s own TLS certificate”

in that case there is no issue with your secrets on operator side. The issue lies on the client side of things. To be clear, secrets.sslInternal is not for the client certs, instead it stores the cert that mongo nodes use when acting as clients to other mongo nodes (e.g. in a replicaset)

You need to make sure you create a separate certificate for your client connections. Do not put this cert in any of the secrets.sslInternal or secrets.ssl. Instead use it only on your clients.

Hope that helps

Hi Ivan,

yes but the “client” is percona Backup Agent:

{“application”:{“name”:“operator-pbm-ctl”}

How can I configure the PBM sidecar container to use a different certificate than the server is using to get rid of this warning?

Sorry I missed that initially. I have opened https://perconadev.atlassian.net/browse/K8SPSMDB-1691 we will review with engineering team and figure out a solution.