What happened?

We have a backup agent running that connects to a cluster running mTLS. We've found that the backup agent is able to connect to the cluster so long as we've set the TLS environment variables, even though we don't enable TLS in the main pod configuration. Can you confirm if this is just a documentation issue, or if the bug is that the backup agent somehow doesn't respect the configs?

Here's what we see on the backup agent pod:

• It has these relevant environment variables set:

    env:
    - name: FDB_BLOB_CREDENTIALS
      value: /var/backup-credentials/credentials
    - name: FDB_TLS_CERTIFICATE_FILE
      value: /var/certs/tls.crt
    - name: FDB_TLS_CA_FILE
      value: /var/external-certs/ca.pem
    - name: FDB_TLS_KEY_FILE
      value: /var/certs/tls.key

• It does not have any of the ContainerOverrides set. So enableTls is false, and peerVerificationRules is false
• In the agent container, we can see the backup agent is running, but without the command line arguments to pass in the TLS certs:

 backup_agent --log --logdir /var/log/fdb-trace-logs --knob_blobstore_enable_read_cache 0

• I can run fdbcli on the agent and it is able to connect to the DB and run status successfully.
• Our FDB cluster has peer verification rules set (which the backup agent's certs would pass), but the backup agent does not.

I guess what must be happening here is that the presence of the environment variables is implicitly turning on TLS. In which case, should we update the documentation to indicate that you don't strictly need the enableTls configuration?

What did you expect to happen?

I expected the backup agent to be unable to connect to the cluster because it wasn't using TLS unless I set enableTls to be true.

How can we reproduce it (as minimally and precisely as possible)?

Would need to set up a backup agent with the configs I described

Anything else we need to know?

No response

FDB Kubernetes operator

Kubernetes version

Cloud provider