We’re currently using the latest version of the Percona Operator for MongoDB. Our MongoDB clusters are being backed up to our own on-premises S3 storage environment, by using the S3 backup options in the operator. This is working well
Since our on-premises S3 storage environment is using our company-trusted internal SSL certificates, we have to use the option insecureSkipTLSVerify: true in order to connect to the backup storage (using HTTPS).
We would like to enhance the security of our database backup environment, by setting insecureSkipTLSVerify: false in our MongoDB backup configuration. This reduces the risk of spoofing and man-in-the-middle attacks.
Is it possible to somehow add our company-trusted internal SSL certificates to the backup configuration, preferably by using the MongoDB operator?
If this isn’t possible at the moment, should I create a JIRA ticket for the development team?
right now it is not supported in Percona Backup for MongoDB that we use in the Operator for backups.
The only workaround that I can think of is to add your CA to trusted on the OS level (so container image). It can be done either through rebuilding the container image with this image or somehow mount the CA to the running container. I think here we would need some code changes in the Operator.
Unfortunately, rebuilding the container image just to add a certificate is quite a lot of work.
We can try again to add the certificate to the image, by mounting the certificate as a sidecar image. But it’s also rather complicated, so far we haven’t been able to make it work.
Can I submit a JIRA ticket, in order to request this certificate import feature in the Operator?
I think that this will add value to the Operator, regarding security.
you sure can! I would also think if there is more here.
So we will take some file and pass it to the folder in the container. Is there more here than just solving a problem with CA? I don’t know, but just an open thought
I think that it’s indeed a matter of adding the root and intermediate CA files in the correct format to the backup-agent container, in the right directory. But we haven’t been able to make it work thus far.
I’ll check again with my Linux DevOps colleague next week to see which possibilities are there.