FoundationDB · johscheuer · Sep 1, 2025
diff --git a/api/v1beta2/foundationdbbackup_types.go b/api/v1beta2/foundationdbbackup_types.go
@@ -103,6 +103,7 @@ type FoundationDBBackupSpec struct {
 	EncryptionKeyPath string `json:"encryptionKeyPath,omitempty"`
 
 	// MainContainer defines customization for the foundationdb container.
+	// Note: The enableTls setting is ignored for backup agents - use TLS environment variables instead.
 	MainContainer ContainerOverrides `json:"mainContainer,omitempty"`
 
 	// SidecarContainer defines customization for the

diff --git a/docs/backup_spec.md b/docs/backup_spec.md
@@ -97,7 +97,7 @@ FoundationDBBackupSpec describes the desired state of the backup for a cluster.
 | allowTagOverride | This setting defines if a user provided image can have it's own tag rather than getting the provided version appended. You have to ensure that the specified version in the Spec is compatible with the given version in your custom image. **Deprecated: use ImageConfigs instead.** | *bool | false |
 | blobStoreConfiguration | This is the configuration of the target blobstore for this backup. | *[BlobStoreConfiguration](#blobstoreconfiguration) | false |
 | encryptionKeyPath | The path to the encryption key used to encrypt the backup. | string | false |
-| mainContainer | MainContainer defines customization for the foundationdb container. | ContainerOverrides | false |
+| mainContainer | MainContainer defines customization for the foundationdb container. Note: The enableTls setting is ignored for backup agents - use TLS environment variables instead. | ContainerOverrides | false |
 | sidecarContainer | SidecarContainer defines customization for the foundationdb-kubernetes-sidecar container. | ContainerOverrides | false |
 | imageType | ImageType defines the image type that should be used for the FoundationDBCluster deployment. When the type is set to \"unified\" the deployment will use the new fdb-kubernetes-monitor. Otherwise the main container and the sidecar container will use different images. Default: split | *ImageType | false |
 | backupType | BackupType defines the backup type that should be used for the backup. When the BackupType is set to BackupTypePartitionedLog, it's expected that the FoundationDBCluster creates and manages the additional backup worker processes. A migration to a different backup type is not yet supported in the operator. Default: \"backup_agent\". | *[BackupType](#backuptype) | false |

diff --git a/docs/manual/backup.md b/docs/manual/backup.md
@@ -93,6 +93,25 @@ By default, the operator assumes you want to use secure connections to your obje
 
 If you are configuring your cluster to use TLS for connections within the cluster, the backup agents will use the same certificate, key, and CA file for the connections to the cluster, so you must make sure the configuration is valid for this purpose as well.
 
+## TLS Configuration for Backup Agents
+
+**Important**: Backup agents act as normal FDB clients and don't use the setting `enableTls` flag in `mainContainer`.
+The [Example Backup](#example-backup) shows how to configure the required environment variables.
+
+### For Backup Agents connecting to TLS clusters:
+
+- **Required**: Set TLS environment variables (`FDB_TLS_CERTIFICATE_FILE`, `FDB_TLS_KEY_FILE`, `FDB_TLS_CA_FILE`) in the backup agent pod template
+- **Not needed**: The `enableTls` flag in `mainContainer` or `sidecarContainer` configurations - this only applies to FDB server processes
+
+### Key Differences:
+
+| Component | TLS Environment Variables | `enableTls` Flag |
+|-----------|--------------------------|------------------|
+| FDB Server Processes | ✓ Required | ✓ Required |
+| Backup Agents | ✓ Required | ✗ Ignored |
+
+The backup agent will automatically use TLS when connecting to a TLS-enabled cluster if the TLS environment variables are present, regardless of the `enableTls` setting in the backup spec.
+
 ## Configuring Your Account
 
 Before you start a backup, you will need to configure an account in your object store. Depending on the implementation details of your object store, you may also need to configure a bucket in advance, but the FDB backup process will attempt to automatically create one. You can specify the bucket name in the `bucket` field of the backup spec. In the example above, we have an account called `account` at the object store `https://object-store.example`, and it has a bucket called `fdb-backups`.

diff --git a/docs/manual/tls.md b/docs/manual/tls.md
@@ -103,6 +103,12 @@ Connections to FDB will use the peer verification logic provided by the FDB clie
 
 Connections to the sidecar will use the peer verification logic provided by go's tls library. This means that the sidecar's certificate must be valid for the pod's IP. You can disable verification for the connections to the sidecar by setting the environment variable `DISABLE_SIDECAR_TLS_CHECK=1` on the operator, but this will also disable the validation of the certificate chain, so it is not recommended to use this in real environments.
 
+## TLS for Backup Agents
+
+When configuring backup agents to connect to TLS-enabled clusters, note that backup agents act as FDB clients and only require the TLS environment variables (`FDB_TLS_CERTIFICATE_FILE`, `FDB_TLS_KEY_FILE`, `FDB_TLS_CA_FILE`). The `enableTls` flag used for FDB server processes does not apply to backup agents.
+
+See the [backup documentation](backup.md#tls-configuration-for-backup-agents) for detailed configuration examples.
+
 ## TLS Migration
 
 The operator supports to migrate a non-TLS cluster to TLS and visa versa.