Skip to content

Inject custom CA certificates in PowerDNS database not possible

Summary

Custom CA certificates specified in spec.caCertificates in a DesignateDeployment are made available in the Designate database but not in the PowerDNS database.

Detailed Description

Example use case: You want to backup the PowerDNS database to S3 target but that required injecting a custom CA in order for the backup-shifter to trust the S3 endpoint.

To do so, the following can be configured in DesignateDeployment manifest:

@@ -10,6 +10,28 @@ metadata:
   name: designate
   namespace: yaook
 spec:
+  caCertificates:
+  - | # external vault CA since the object storage uses this (needed for S3 backups)
+    -----BEGIN CERTIFICATE-----
+    <CONTENT GOES HERE>
+    -----END CERTIFICATE-----
   keystoneRef:
     name: keystone
   api:
@@ -22,6 +44,14 @@ spec:
   database:
     backup:
       schedule: "0 * * * *"
+      targets:
+        s3:
+          bucket: <SOME BUCKET>
+          endpoint: "<SOME URL>"
+          credentialRef:
+            name: s3-db-backups
+          filePrefix: "<SOME PREFIX>"
+          addressingStyle: path
     proxy:
       replicas: 3
     replicas: 3
@@ -57,6 +87,14 @@ spec:
     database:
       backup:
         schedule: "0 * * * *"
+        targets:
+          s3:
+            bucket: <SOME BUCKET>
+            endpoint: "<SOME URL>"
+            credentialRef:
+              name: s3-db-backups
+            filePrefix: "<SOME PREFIX>"
+            addressingStyle: path
       proxy:
         replicas: 3
       replicas: 3

Steps to reproduce the issue

See section above how to reproduce. According to the schedule in the manifest above the backup is performed every hour. One can trigger an backup immediately via:

kubectl -n <NAMESPACE> exec -c backup-creator designate-powerdns-powerdns-db-2 -- /usr/local/bin/backup-now

Watch the logs:

kubectl -n <NAMESPACE> logs -c backup-shifter designate-powerdns-powerdns-db-2

Result

Backup is not uploaded to S3 target and backup-shifter of PowerDNS database says:

botocore.exceptions.SSLError: SSL validation failed for <URL> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1028)

Expected Result

Backup should be uploaded to S3 target just as for the Designate database.

Additional Information

Resolution

Proposal

To be discussed.

Specification

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this issue are to be interpreted in the spirit of RFC 2119, even though we're not technically doing protocol design.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information