Deploy certificates on the Kubernetes operator
You need to deploy certificates for secure communication between the datamover and the NetBackup media servers.
Note:
You must deploy the certificates before you can perform Backup from Snapshot and Restore from Backup operations.
The Cluster must be added and discovered successfully before creating the BackupServerCert as it relies on the NetBackup passing some clusterInfo in order to set the status as Success.
Datamover facilitates data movement within the NetBackup environment, it communicates with the media servers over Transport Layer Security (TLS). For more details, refer to the About secure communication in NetBackup section in NetBackup™ Security and Encryption Guide. Datamover needs a host-id-based certificate, or an ECA-signed certificate issued by NetBackup primary server for communication. A new custom resource definition BackupServerCert is introduced to enable certificate deployment operation in NBCA (NetBackup Certificate Authority) or ECA (External Certificate Authority) mode.
Custom resource specification looks like this:
apiVersion: netbackup.veritas.com/v1
kind: BackupServerCert
metadata:
name: backupservercert-sample-nbca
namespace: kops-ns
spec:
clusterName: cluster.sample.com:port
backupServer: primary.server.sample.com
certificateOperation: Create | Update | Remove
certificateType: NBCA | ECA
nbcaAttributes:
nbcaCreateOptions:
secretName: "Secret name consists of token and fingerprint"
nbcaUpdateOptions:
secretName: "Secret name consists of token and fingerprint"
force: true | false
nbcaRemoveOptions:
hostID: "hostId of the nbca certificate. You can view on Netbackup UI"
ecaAttributes:
ecaCreateOptions:
ecaSecretName: "Secret name consists of cert, key, passphrase, cacert"
copyCertsFromSecret: true | false
isKeyEncrypted: true | false
ecaUpdateOptions:
ecaCrlCheck: DISABLE | LEAF | CHAIN
ecaCrlRefreshHours: [0,4380]