During certificate deployment on Netbackup Kubernetes Operator, unexpected behavior is seen if correct values are not provided in Custom Resource Specification
Problem
During certificate deployment on Netbackup Kubernetes Operator, unexpected behavior is seen if correct values are not provided in Custom Resource Specification
Case 1: While deploying certificates in NBCA mode
- CertificateOperation can take 3 possible values i.e Create, Update, Remove. These values are case-sensitive.
- CertificateType in case of deploying certificates in NBCA mode should be NBCA. It is case-sensitive.
If you provide values other than the mentioned above, then unexpected behavior is shown as: Backupservercert status will be successful but certificates will not be deployed. Hence, BFS (Backup From Snapshot) and Restore jobs fail with error code 34.
-
apiVersion: netbackup.veritas.com/v1
kind: BackupServerCert
metadata:
name: backupservercert-sample
namespace: kops-ns
spec:
clusterName: cluster.sample.com
backupServer: primary.server.sample.com
certificateOperation: Create | Update | Remove
certificateType: NBCA
nbcaAttributes:
nbcaCreateOptions:
secretName: "Name of secret containing token and fingerprint"
nbcaUpdateOptions:
secretName: "Name of secret containing token and fingerprint"
force: true
nbcaRemoveOptions:
hostID: "hostId of the nbca certificate. User can see this on Netbackup UI"
Case 2: While deploying certificates in ECA mode
- CertificateOperation can take 3 possible values i.e Create, Update, Remove. These values are case-sensitive.
- CertificateType in case of deploying certificates in ECA mode should be ECA. It is case-sensitive.
- EcaCrlCheck can take three values DISABLE, LEAF, CHAIN. These values are case-sensitive.
If you provide values other than the mentioned above, then unexpected behavior is shown as: Backupservercert status will be successful but certificates will not be deployed. Hence, BFS (Backup From Snapshot) and Restore jobs fail with error code 34.
-
apiVersion: netbackup.veritas.com/v1
kind: BackupServerCert
metadata:
name: backupservercert-sample-eca
namespace: kops-ns
spec:
clusterName: cluster.sample.com
backupServer: primary.server.sample.com
certificateOperation: Create | Update | Remove
certificateType: ECA
ecaAttributes:
ecaCreateOptions:
ecaSecretName: "Name of secret containing cert, key, passphrase, cacert"
copyCertsFromSecret: true | false
isKeyEncrypted: true | false
ecaUpdateOptions:
ecaCrlCheck: DISABLE | LEAF | CHAIN
ecaCrlRefreshHours: range[0,4380]
Error Message
If proper values are not given into the respective fields, then certificates will not be deployed, even if the backupservercert status is successful. Hence, Backup from Snapshot and Restore jobs will fail with error code 34.
Cause
CertificateType, CertificateOperation, and ecaCrlCheck fields are case-sensitive. If proper values are not given then unexpected behavior is observed.
Solution
Create backupservercert CR with correct values. Refer to the below specification provided for each operation: For more details refer to Deploying Certificates on NetBackup Kubernetes Operator section in the NetBackup Web UI Kubernetes Administrator Guide10.0 version.
For reference, all required yaml files are attached at the end of the technote.
When deploying certificates in NBCA Mode
| Create Operation | Remove Operation | Update Operation |
| apiVersion: netbackup.veritas.com/v1 kind: BackupServerCert metadata: name: backupservercert-nbca-create namespace: netbackupKopsNamespace spec: clusterName: api.sample.domain.com backupServer: backupserver.domain.com certificateOperation: Create certificateType: NBCA nbcaAttributes: nbcaCreateOptions: secretName: nbcaSecretName |
apiVersion: netbackup.veritas.com/v1 kind: BackupServerCert metadata: name: backupservercert-nbca-remove namespace: netbackupKopsNamespace spec: clusterName: api.sample.domain.com backupServer: backupserver.domain.com certificateOperation: Remove certificateType: NBCA nbcaAttributes: nbcaRemoveOptions: hostID: xxxxxxxxxxxxxxxxxxxxxxxxx |
apiVersion: netbackup.veritas.com/v1 kind: BackupServerCert metadata: name: backupservercert-nbca-update namespace: netbackupKopsNamespace spec: clusterName: api.sample.domain.com backupServer: backupserver.domain.com certificateOperation: Update certificateType: NBCA nbcaAttributes: nbcaUpdateOptions: force: true secretName: nbcaSecretName |
When deploying certificates in ECA Mode
| Create Operation | Remove Operation | Update Operation |
| apiVersion: netbackup.veritas.com/v1 kind: BackupServerCert metadata: name: backupservercert-eca-create namespace: netbackupKopsNamespace spec: clusterName: api.sample.domain.com backupServer: backupserver.domain.com certificateOperation: Create certificateType: ECA ecaAttributes: ecaCreateOptions: ecaSecretName: eca-secret copyCertsFromSecret: true isKeyEncrypted: false |
apiVersion: netbackup.veritas.com/v1 kind: BackupServerCert metadata: name: backupservercert-eca-remove namespace: netbackupKopsNamespace spec: clusterName: api.sample.domain.com backupServer: backupserver.domain.com certificateOperation: Remove certificateType: ECA |
apiVersion: netbackup.veritas.com/v1 kind: BackupServerCert metadata: name: backupservercert-eca-update namespace: netbackupKopsNamespace spec: clusterName: api.sample.domain.com backupServer: backupserver.domain.com certificateOperation: Update certificateType: ECA ecaAttributes: ecaUpdateOptions: ecaCrlCheck: LEAF ecaCrlRefreshHours: 1 |
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.