openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-07 09:46:53 +01:00
Code Issues Releases Activity
Files
b861fb8d1fe02da170cbb977e5f74d9d1d76384c
openshift-docs/modules/oadp-self-signed-certificate.adoc
Michael Burke bee2c6fdcd Virtualization docs fixes during ROSA review 2
2024-04-10 20:26:45 +00:00

97 lines
3.4 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * backup_and_restore/application_backup_and_restore/configuring-oadp.adoc
:_mod-docs-content-type: PROCEDURE
[id="oadp-self-signed-certificate_{context}"]
= Enabling self-signed CA certificates
You must enable a self-signed CA certificate for object storage by editing the `DataProtectionApplication` custom resource (CR) manifest to prevent a `certificate signed by unknown authority` error.
.Prerequisites
* You must have the OpenShift API for Data Protection (OADP) Operator installed.
.Procedure
* Edit the `spec.backupLocations.velero.objectStorage.caCert` parameter and `spec.backupLocations.velero.config` parameters of the `DataProtectionApplication` CR manifest:
+
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
name: <dpa_sample>
spec:
# ...
backupLocations:
- name: default
velero:
provider: aws
default: true
objectStorage:
bucket: <bucket>
prefix: <prefix>
caCert: <base64_encoded_cert_string> <1>
config:
insecureSkipTLSVerify: "false" <2>
# ...
----
<1> Specify the Base64-encoded CA certificate string.
<2> The `insecureSkipTLSVerify` configuration can be set to either `"true"` or `"false"`. If set to `"true"`, SSL/TLS security is disabled. If set to `"false"`, SSL/TLS security is enabled.
[id="oadp-using-ca-certificates-with-velero-command-aliased-for-velero-deployment_{context}"]
== Using CA certificates with the velero command aliased for Velero deployment
You might want to use the Velero CLI without installing it locally on your system by creating an alias for it.
.Prerequisites
* You must be logged in to the OpenShift Container Platform cluster as a user with the `cluster-admin` role.
* You must have the OpenShift CLI (`oc`) installed.
. To use an aliased Velero command, run the following command:
+
[source,terminal]
----
$ alias velero='oc -n openshift-adp exec deployment/velero -c velero -it -- ./velero'
----
. Check that the alias is working by running the following command:
+
[source,terminal]
.Example
----
$ velero version
Client:
Version: v1.12.1-OADP
Git commit: -
Server:
Version: v1.12.1-OADP
----
. To use a CA certificate with this command, you can add a certificate to the Velero deployment by running the following commands:
+
[source,terminal]
----
$ CA_CERT=$(oc -n openshift-adp get dataprotectionapplications.oadp.openshift.io <dpa-name> -o jsonpath='{.spec.backupLocations[0].velero.objectStorage.caCert}')
$ [[ -n $CA_CERT ]] && echo "$CA_CERT" | base64 -d | oc exec -n openshift-adp -i deploy/velero -c velero -- bash -c "cat > /tmp/your-cacert.txt" || echo "DPA BSL has no caCert"
----
+
[source,terminal]
----
$ velero -n openshift-adp describe backup <backup-name> --details --cacert /tmp/your-cacert.txt
----
+
. If the Velero pod restarts, the `/tmp/your-cacert.txt` file disappears, and you must re-create the `/tmp/your-cacert.txt` file by re-running the commands from the previous step.
. You can check if the `/tmp/your-cacert.txt` file still exists, in the file location where you stored it, by running the following command:
+
[source,terminal]
----
$ oc exec -n openshift-adp -i deploy/velero -c velero -- bash -c "ls /tmp/your-cacert.txt"
/tmp/your-cacert.txt
----
In a future release of OpenShift API for Data Protection (OADP), we plan to mount the certificate to the Velero pod so that this step is not required.
View Git Blame Copy Permalink