Skip to content

Feature Request: PBM does not support TLS with backups #525

New issue
New issue
Open
Open
Feature Request: PBM does not support TLS with backups#525
Labels
bugSomething isn't working as expected
@MiaAltieri

Description

@MiaAltieri
MiaAltieri
opened on Dec 13, 2024

When using an s3 bucket with tls PBM agent fails with the message:

  - mongodb/192.168.100.82:27017 [S]: pbm-agent v2.4.0 FAILED status:
      > ERROR with storage: storage check failed with: get S3 object header: RequestError: send request failed
caused by: Head "https://radosgw.pc6a.canonical.com:443/mybucket/.pbm.init": tls: failed to verify certificate: x509: certificate signed by unknown authority

This is a known issue and outlined in SSDLC. We should support TLS with PBM, this is a requirement from field.

Additionally Charmed MongoDB should provide an error message when PBM is missing TLS configuration

Steps to reproduce

Deploy MognoDB in OpenStack

openstack endpoint list | grep -E "s3|swift"

# curl the public URL 
curl  https://radosgw.pc6a.canonical.com:443/

# did not work + did not understand one of the steps

# create credentials and save the fields access and secret for later steps 
openstack ec2 credentials create



# configure MC using access + secret from openstack credentials 
 HTTP_PROXY="http://10.17.2.1:3128" HTTPS_PROXY="http://10.17.2.1:3128"  curl https://dl.min.io/client/mc/release/linux-amd64/mc \
  --create-dirs \
  -o $HOME/minio-binaries/mc

chmod +x $HOME/minio-binaries/mc
export PATH=$PATH:$HOME/minio-binaries/

mc --help
mc config host add my_project [https://radosgw.pc6a.canonical.com:443/](https://radosgw.pc6a.canonical.com/) b4ea84b3154e49f6ae1bd9fd07617c0d 215674a0fa64408389aa9cfa81d938a0

# now we need to create a bucket
sudo cp  vault-root-ca.pem /usr/local/share/ca-certificates/vault.crt

mc mb my-project/mybucket

# MY GUESS: you will need to generate a cert file from the pem file used from the novarc
openssl x509 -outform der -in vault-root-ca.pem -out vault-root-ca.crt

# use URL from earlier
juju config s3-integrator endpoint="https://radosgw.pc6a.canonical.com:443" bucket="mybucket" region="" s3-api-version="" s3-uri-style="path" tls-ca-chain="$(base64 -w0 /usr/local/share/ca-certificates/vault.crt)"

# use credentials from earlier 
juju run s3-integrator/leader sync-s3-credentials access-key=b4ea84b3154e49f6ae1bd9fd07617c0d secret-key=215674a0fa64408389aa9cfa81d938a0

juju integrate s3-integrator mongodb

juju ssh mongodb/x
charmed-mongodb.pbm status
``

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working as expected

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions