K8SPXC-1332 | Allow specifying caBundle for backup storage connection

[mayankshah1607]

CHANGE DESCRIPTION

Problem:

Backups and restores against S3 endpoints served over HTTPS with private/internal certificates fail unless TLS verification is disabled, which weakens security by forcing verifyTLS=false and bypassing server identity checks.

Solution:

Introduce a configurable caBundle for S3 storage so clients can verify TLS using a trusted CA without disabling SSL verification.

What’s included

• Two configuration modes to supply the CA: inline base64-encoded bundle in the CR, or a Secret reference for separation of concerns and rotation via Kubernetes primitives (e.g, certs provisioned via cert-manager).

Examples:

Inline CA bundle in the PXC CR:

storages:
  minio-s3:
    type: s3
    verifyTLS: true
    s3:
      caBundle: "BASE64 encoded CA cert"

Secret reference to the CA bundle:

storages:
  minio-s3:
    type: s3
    verifyTLS: true
    s3:
      caBundle:
        fromSecret:
          name: minio-ca-bundle
          key: tls.crt

CHECKLIST

Jira

• Is the Jira ticket created and referenced properly?
• Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
• Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

• Is an E2E test/test case added for the new feature/change?
• Are unit tests added where appropriate?
• Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

• Are all needed new/changed options added to default YAML files?
• Are all needed new/changed options added to the Helm Chart?
• Did we add proper logging messages for operator actions?
• Did we ensure compatibility with the previous version or cluster upgrade process?
• Does the change support oldest and newest supported PXC version?
• Does the change support oldest and newest supported Kubernetes version?

[JNKPercona]

Test Name	Result	Time
affinity-8-0	passed	00:06:10
auto-tuning-8-0	passed	00:19:27
cross-site-8-0	passed	00:36:00
custom-users-8-0	failure	00:09:35
demand-backup-cloud-8-0	passed	00:58:51
demand-backup-encrypted-with-tls-8-0	passed	00:44:41
demand-backup-8-0	passed	00:41:27
demand-backup-flow-control-8-0	passed	00:11:03
demand-backup-parallel-8-0	passed	00:09:34
demand-backup-without-passwords-8-0	passed	00:15:54
haproxy-5-7	passed	00:14:37
haproxy-8-0	passed	00:14:55
init-deploy-5-7	passed	00:16:51
init-deploy-8-0	passed	00:18:11
limits-8-0	passed	00:12:06
monitoring-2-0-8-0	passed	00:22:54
monitoring-pmm3-8-0	passed	00:19:21
one-pod-5-7	passed	00:13:55
one-pod-8-0	passed	00:13:54
pitr-8-0	passed	00:44:53
pitr-gap-errors-8-0	passed	00:56:10
proxy-protocol-8-0	passed	00:09:45
proxysql-sidecar-res-limits-8-0	passed	00:08:26
pvc-resize-5-7	passed	00:16:18
pvc-resize-8-0	passed	00:15:54
recreate-8-0	passed	00:17:54
restore-to-encrypted-cluster-8-0	passed	00:25:59
scaling-proxysql-8-0	passed	00:08:43
scaling-8-0	passed	00:10:58
scheduled-backup-5-7	passed	01:04:26
scheduled-backup-8-0	passed	01:02:06
security-context-8-0	passed	00:25:31
smart-update1-8-0	passed	00:33:03
smart-update2-8-0	passed	00:38:06
storage-8-0	passed	00:10:51
tls-issue-cert-manager-ref-8-0	passed	00:09:20
tls-issue-cert-manager-8-0	passed	00:11:19
tls-issue-self-8-0	passed	00:12:57
upgrade-consistency-8-0	passed	00:11:37
upgrade-haproxy-5-7	passed	00:24:20
upgrade-haproxy-8-0	passed	00:24:21
upgrade-proxysql-5-7	passed	00:15:12
upgrade-proxysql-8-0	passed	00:15:28
users-5-7	passed	00:25:19
users-8-0	passed	00:24:02
validation-hook-8-0	passed	00:02:01
We run 46 out of 46		17:04:47

commit: 6c08ea7
image: perconalab/percona-xtradb-cluster-operator:PR-2213-6c08ea71