contents

Blogs / Adding TLS Support to My MongoDB Backup Solution

Adding TLS Support to My MongoDB Backup Solution

December 18, 2025 • Matthew Duong • Kubernetes;Self Hosting;Devops • 1 min read

Adding TLS Support to My MongoDB Backup Solution

Background

Back in 2023, I wrote about my cloud-agnostic MongoDB backup solution using Kubernetes CronJobs. It's been running reliably ever since, backing up my home lab MongoDB instances to MinIO.

Recently, I enabled TLS on my MongoDB clusters to support Teleport database access. This promptly broke my backup cronjobs—mongodump couldn't verify my self-signed CA certificate.

The Fix: MONGODUMP_EXTRA_ARGS

Rather than hardcoding TLS options, I added a MONGODUMP_EXTRA_ARGS environment variable that passes additional arguments directly to mongodump:

mongodump --uri="$MONGO_CONNECTION_STRING" --archive="$FILENAME" --gzip $MONGODUMP_EXTRA_ARGS

This keeps the solution flexible. Need to skip TLS verification? Pass --tlsInsecure. Using a custom CA? Pass --tlsCAFile=/path/to/ca.crt. The same image works for both TLS and non-TLS deployments.

Kubernetes Example with TLS

Here's how to use it with a custom CA certificate:

apiVersion: batch/v1
kind: CronJob
metadata:
    name: mongodb-backup-cronjob
spec:
    schedule: "0 0 * * *"
    jobTemplate:
        spec:
            template:
                spec:
                    containers:
                        - name: mongodb-backup
                          image: thegalah/k8s-mongodump-s3:1.1.0
                          env:
                              - name: MONGO_CONNECTION_STRING
                                valueFrom:
                                    secretKeyRef:
                                        name: mongodb-connection-secret
                                        key: connectionString.standard
                              - name: S3_OR_MINIO_ENDPOINT
                                value: http://minio:9000
                              - name: STORAGE_PATH
                                value: mongodumps
                              - name: DUMP_PREFIX
                                value: myapp_prod
                              - name: MONGODUMP_EXTRA_ARGS
                                value: "--tlsCAFile=/etc/ssl/mongodb/ca.crt"
                          volumeMounts:
                              - name: mongodb-ca
                                mountPath: /etc/ssl/mongodb
                                readOnly: true
                    volumes:
                        - name: mongodb-ca
                          secret:
                              secretName: mongodb-ca-certificate
                    restartPolicy: Never

Other Changes in v1.1.0

While I was in there, I also:

  • Updated the Kubernetes API version from batch/v1beta1 to batch/v1
  • Removed some environment variables from the docs that were never actually implemented
  • Improved the README with better formatting

The backup script still includes automatic retry with exponential backoff (up to 7 attempts), so transient failures are handled gracefully.

Conclusion

A small update, but a necessary one as my home lab security posture has evolved. The new image is available on Docker Hub as thegalah/k8s-mongodump-s3:1.1.0.

Repository: github.com/thegalah/k8s-mongodump-s3

Matthew Duong's blog

Let's connect

© 2023-2024 Matthew Duong