Compatible S3 backup doesn't have a vaild SHA #17783
Description
When trying to store the backups on an Netapp using compatible s3 we get the following error
InvalidArgument; message: x-amz-content-sha256 must be UNSIGNED-PAYLOAD, STREAMING-AWS4-HMAC-SHA256-PAYLOAD or a valid sha256 value.
Log output
externalbackups/plugins/s3/common: 2025/11/12 12:00:00.000329 s3common.go:165: Info: Starting S3 compatible backup
pg_dump: last built-in OID is 16383
pg_dump: reading extensions
pg_dump: identifying extension members
pg_dump: reading schemas
pg_dump: reading user-defined tables
pg_dump: reading user-defined functions
pg_dump: reading user-defined types
pg_dump: reading procedural languages
pg_dump: reading user-defined aggregate functions
pg_dump: reading user-defined operators
pg_dump: reading user-defined access methods
pg_dump: reading user-defined operator classes
pg_dump: reading user-defined operator families
pg_dump: reading user-defined text search parsers
pg_dump: reading user-defined text search templates
pg_dump: reading user-defined text search dictionaries
pg_dump: reading user-defined text search configurations
pg_dump: reading user-defined foreign-data wrappers
pg_dump: reading user-defined foreign servers
pg_dump: reading default privileges
pg_dump: reading user-defined collations
pg_dump: reading user-defined conversions
pg_dump: reading type casts
pg_dump: reading transforms
pg_dump: reading table inheritance information
pg_dump: reading event triggers
pg_dump: finding extension tables
pg_dump: finding inheritance relationships
pg_dump: reading column info for interesting tables
pg_dump: finding table default expressions
pg_dump: flagging inherited columns in subtables
pg_dump: reading partitioning data
pg_dump: reading indexes
pg_dump: flagging indexes in partitioned tables
pg_dump: reading extended statistics
pg_dump: reading constraints
pg_dump: reading triggers
pg_dump: reading rewrite rules
pg_dump: reading policies
pg_dump: reading row-level security policies
pg_dump: reading publications
pg_dump: reading publication membership of tables
pg_dump: reading publication membership of schemas
pg_dump: reading subscriptions
pg_dump: reading large objects
pg_dump: reading dependency data
pg_dump: saving encoding = UTF8
pg_dump: saving standard_conforming_strings = on
pg_dump: saving search_path =
pg_dump: saving database definition
pg_dump: dumping contents of table "public.active_components"
pg_dump: dumping contents of table "public.active_components_active_contexts_slices"
pg_dump: dumping contents of table "public.administration_events"
pg_dump: dumping contents of table "public.alerts"
externalbackups/plugins/s3/common: 2025/11/12 12:00:03.581102 s3common.go:221: Error: S3 compatible backup: creating backup in bucket "eng-mgmt-acs" with key "backup_2025-11-12T12:00:00.zip" (code: InvalidArgument; message: x-amz-content-sha256 must be UNSIGNED-PAYLOAD, STREAMING-AWS4-HMAC-SHA256-PAYLOAD or a valid sha256 value.) {"backup": "S3-Backup", "error": "upload multipart failed, upload id: MjE1MDMwMTY0NV8xMzU5XzEyMTY4N18yNjgwMjQ4NTc0, cause: operation error S3: UploadPart, https response error StatusCode: 400, RequestID: , HostID: , api error InvalidArgument: x-amz-content-sha256 must be UNSIGNED-PAYLOAD, STREAMING-AWS4-HMAC-SHA256-PAYLOAD or a valid sha256 value.", "err_code": "s3compatible", "bucket": "eng-mgmt-acs"}
externalbackups/scheduler: 2025/11/12 12:00:03.581334 schedule.go:108: Error: failed to send backup to *s3common.s3Common: S3 compatible backup: creating backup in bucket "eng-mgmt-acs" with key "backup_2025-11-12T12:00:00.zip" (code: InvalidArgument; message: x-amz-content-sha256 must be UNSIGNED-PAYLOAD, STREAMING-AWS4-HMAC-SHA256-PAYLOAD or a valid sha256 value.)
pkg/postgres/pgadmin: 2025/11/12 12:00:03.583388 postgres_command_utils.go:26: Error: Failure executing "/usr/bin/pg_dump -d central_active -Fc -v -U postgres -h central-db.stackrox.svc -p 5432" with signal: broken pipe
externalbackups/scheduler: 2025/11/12 12:00:03.599690 schedule.go:55: Error: Failed to write backup to io.writer: backing up postgres: unable to write postgres.dump to zip: signal: broken pipe
We are deploying using the operator on an Openshift cluster, and have set the addtional env vars to attempt to force the generation of the sha.
Openshift RHACS Deployment resource
---
apiVersion: platform.stackrox.io/v1alpha1
kind: Central
metadata:
name: stackrox-central-services
namespace: stackrox
spec:
customize:
envVars:
- name: AWS_REQUEST_CHECKSUM_CALCULATION
value: WHEN_REQUIRED
- name: AWS_RESPONSE_CHECKSUM_VALIDATION
value: WHEN_REQUIRED
central:
db:
connectionPoolSize:
maxConnections: 90
minConnections: 10
isEnabled: Default
persistence:
persistentVolumeClaim:
claimName: central-db
exposure:
loadBalancer:
enabled: false
port: 443
nodePort:
enabled: false
route:
enabled: true
notifierSecretsEncryption:
enabled: false
defaultTLSSecret:
name: central-stackrox
persistence:
persistentVolumeClaim:
claimName: stackrox-db
telemetry:
enabled: false
configAsCode:
configAsCodeComponent: Enabled
egress:
connectivityPolicy: Online
monitoring:
openshift:
enabled: true
network:
policies: Enabled
scanner:
analyzer:
scaling:
autoScaling: Enabled
maxReplicas: 5
minReplicas: 2
replicas: 3
scannerV4:
db:
persistence:
persistentVolumeClaim:
claimName: scanner-v4-db
indexer:
scaling:
autoScaling: Enabled
maxReplicas: 5
minReplicas: 2
replicas: 3
matcher:
scaling:
autoScaling: Enabled
maxReplicas: 5
minReplicas: 2
replicas: 3
scannerComponent: Default
Metadata
Metadata
Assignees
Labels
No labels