Skip to content

Feature Request: PBM does not support TLS with backups #525

Open
Open
Feature Request: PBM does not support TLS with backups#525
Labels
bugSomething isn't working as expected
@MiaAltieri

Description

@MiaAltieri
MiaAltieri
opened on Dec 13, 2024

When using an s3 bucket with tls PBM agent fails with the message:

  - mongodb/192.168.100.82:27017 [S]: pbm-agent v2.4.0 FAILED status:
      > ERROR with storage: storage check failed with: get S3 object header: RequestError: send request failed
caused by: Head "https://radosgw.pc6a.canonical.com:443/mybucket/.pbm.init": tls: failed to verify certificate: x509: certificate signed by unknown authority

This is a known issue and outlined in SSDLC. We should support TLS with PBM, this is a requirement from field.

Additionally Charmed MongoDB should provide an error message when PBM is missing TLS configuration

Steps to reproduce

Deploy MognoDB in OpenStack

openstack endpoint list | grep -E "s3|swift"

# curl the public URL 
curl  https://radosgw.pc6a.canonical.com:443/

# did not work + did not understand one of the steps

# create credentials and save the fields access and secret for later steps 
openstack ec2 credentials create



# configure MC using access + secret from openstack credentials 
 HTTP_PROXY="http://10.17.2.1:3128" HTTPS_PROXY="http://10.17.2.1:3128"  curl https://dl.min.io/client/mc/release/linux-amd64/mc \
  --create-dirs \
  -o $HOME/minio-binaries/mc

chmod +x $HOME/minio-binaries/mc
export PATH=$PATH:$HOME/minio-binaries/

mc --help
mc config host add my_project [https://radosgw.pc6a.canonical.com:443/](https://radosgw.pc6a.canonical.com/) b4ea84b3154e49f6ae1bd9fd07617c0d 215674a0fa64408389aa9cfa81d938a0

# now we need to create a bucket
sudo cp  vault-root-ca.pem /usr/local/share/ca-certificates/vault.crt

mc mb my-project/mybucket

# MY GUESS: you will need to generate a cert file from the pem file used from the novarc
openssl x509 -outform der -in vault-root-ca.pem -out vault-root-ca.crt

# use URL from earlier
juju config s3-integrator endpoint="https://radosgw.pc6a.canonical.com:443" bucket="mybucket" region="" s3-api-version="" s3-uri-style="path" tls-ca-chain="$(base64 -w0 /usr/local/share/ca-certificates/vault.crt)"

# use credentials from earlier 
juju run s3-integrator/leader sync-s3-credentials access-key=b4ea84b3154e49f6ae1bd9fd07617c0d secret-key=215674a0fa64408389aa9cfa81d938a0

juju integrate s3-integrator mongodb

juju ssh mongodb/x
charmed-mongodb.pbm status
``

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working as expected

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions