[qdrant] backup: datafile backup fails with TLS-enabled clusters (HTTP/0.9 error)

[nayutah]

Summary

The qdrant datafile backup actionset (qdrant-snapshot-br) hardcodes endpoint=http://... when connecting to the qdrant API to take collection snapshots. When TLS is enabled on the cluster (tls: true), qdrant only accepts HTTPS connections, causing the backup to fail with curl: (1) Received HTTP/0.9 when not allowed.

Trigger Path

1. Create a qdrant cluster with tls: true and issuer.name: KubeBlocks
2. Trigger a datafile backup via Backup resource
3. Backup job fails immediately

Root Cause

addons/qdrant/actionset (deployed as ActionSet qdrant-snapshot-br) contains:

endpoint=http://${DP_DB_HOST}:6333

This is hardcoded HTTP. When TLS is enabled, qdrant rejects plain HTTP connections — curl receives an unexpected response (HTTP/0.9) from the TLS handshake.

Fix

The backup script needs to detect TLS and switch to HTTPS:

# Detect TLS: check if the TLS cert mount path has files
if [ -f "${TLS_MOUNT_PATH:-/qdrant/tls}/tls.crt" ]; then
  endpoint=https://${DP_DB_HOST}:6333
  CURL_TLS="-k"  # or --cacert ${TLS_MOUNT_PATH}/ca.crt
else
  endpoint=http://${DP_DB_HOST}:6333
  CURL_TLS=""
fi

Or alternatively, inject TLS_ENABLED / TLS_MOUNT_PATH env vars into the backup action via the backup policy env section.

Workaround

Disable TLS on the cluster before taking backups, or use the qdrant cluster without TLS enabled.

Impact

All datafile backups (including scheduled backups via BackupSchedule) fail when TLS is enabled on the qdrant cluster.

Test Environment

• KubeBlocks v1.0 API
• qdrant 1.17.1, cluster topology, 3 replicas, TLS enabled (issuer: KubeBlocks)

[nayutah]

Bug Found and Fixed

Root cause: Backup/restore jobs could not communicate with TLS-enabled qdrant pods.

The TLS_ENABLED var was defined only in spec.vars (resolved dynamically by KubeBlocks into pods), but backup jobs inherit env vars from spec.runtime.containers.env — not from spec.vars. The TLS detection logic used file-based cert checks ([ -f /qdrant/tls/tls.crt ]) which always fails in backup job containers since they don't mount the TLS volume. Both checks silently fell through to HTTP, producing curl: (1) Received HTTP/0.9 when not allowed against the HTTPS-only endpoint.

Fix applied (3 files):

1. addons/qdrant/templates/cmpd.yaml — Added TLS_ENABLED: $(TLS_ENABLED) and TLS_MOUNT_PATH to runtime.containers.env so backup jobs inherit the resolved values
2. addons/qdrant/scripts/qdrant-backup.sh — Changed TLS detection from cert file check to [ "${TLS_ENABLED:-}" = "true" ]
3. addons/qdrant/scripts/qdrant-restore.sh — Same fix as backup script