vmware-tanzu
/
velero
mirror of https://github.com/vmware-tanzu/velero.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
velero/site/content/docs/v1.4/self-signed-certificates.md

1.3 KiB
Raw Blame History

title layout
Use Velero with a storage provider secured by a self-signed certificate docs

If you are using an S3-Compatible storage provider that is secured with a self-signed certificate, connections to the object store may fail with a certificate signed by unknown authority message. In order to proceed, a certificate bundle may be provided when adding the storage provider.

Trusting a self-signed certificate during installation

When using the velero install command, you can use the --cacert flag to provide a path to a PEM-encoded certificate bundle to trust.

velero install \
    --plugins <PLUGIN_CONTAINER_IMAGE [PLUGIN_CONTAINER_IMAGE]>
    --provider <YOUR_PROVIDER> \
    --bucket <YOUR_BUCKET> \
    --secret-file <PATH_TO_FILE> \
    --cacert <PATH_TO_CA_BUNDLE>

Velero will then automatically use the provided CA bundle to verify TLS connections to that storage provider when backing up and restoring.

Trusting a self-signed certificate with the Velero client

To use the describe, download, or logs commands to access a backup or restore contained in storage secured by a self-signed certificate as in the above example, you must use the --cacert flag to provide a path to the certificate to be trusted.

velero backup describe my-backup --cacert <PATH_TO_CA_BUNDLE>