SGCluster restore from backup TLS verify failed
We run Stackgres in an on-premise K8s cluster, we also have an on-premise S3 instance (in another subnet, hence the problem below and need to be able to specify CA certs). There is a daily backup job as can be seen in the definition below. For the SGObjectStorage
this works fine with the on-premise s3Compatible
because in the CRD's spec.s3Compatible.awsCredentials
I can specify caCertificate
using k8s secrets.
However, when I try to create a SGcluster instance where I use backup data as initial data, I get the following error (from k8s logs):
ERROR: <date> Failed to select backup: checking sentinel file "base_000000010000000000000042_backup_stop_sentinel.json" for existence: check file for existence in "default": failed to check s3 object 'sgbackups.stackgres.io/<namespace>/<cluster-name>/2024-09-06-07-35-36/16/basebackups_005/base_000000010000000000000042_backup_stop_sentinel.json' existence: RequestError: send request failed caused by Head "https://company-s3.com/<bucket-name>/sgbackups.stackgres.io/<namespace>/<cluster-name>/2024-09-06-07-35-36/16/basebackups_005/base_000000010000000000000042_backup_stop_sentinel.json": tls: failed to verify certificate: x509: certificate signed by unknown authority
To clarify, the file it looks for does exist in the S3 bucket, and I am able to fetch it to my local computer.
For reference, my SGCluster.yaml
file has these fields.
apiVersion: stackgres.io/v1
kind: SGCluster
[...]
spec:
[...]
configurations:
backups:
- sgObjectStorage: <objectstorage-name>
cronSchedule: 0 0 * * *
initialData:
restore:
fromBackup:
name: <backup-name>
I guess my question is how I can specify the CA bundle so Wal-G/Patroni can fetch the backup files from S3? Sorry if it's obvious how to specify it, but I could not find any relevant documentation for exactly this.
Thanks!