Creating secrets to protect sensitive PostgreSQL SSL configuration data

Edit online

If you plan to use SSL for your PostgreSQL database, create a secret manually to protect the certificate data for the database.

About this task

The steps for creating the secret vary depending on whether your database enables server only or both server and client authentication.

Procedure

  • For a database with server-only authentication:
    1. Obtain the certificate file for your database server.
    2. Use a command like the following to create the secret: 
      kubectl create secret generic <your-secret-name> --from-file=serverca.pem=`<your-certification-name>.crt -n <namespace>`

      The secret you create, ibm-postresql-ssl-cert-secret, is the value for the parameter database_ssl_secret_name.

  • For a database with both server and client authentication:
    1. Obtain the certificate file for your database server.
    2. Obtain the certificate file and client key for your database client.
    3. Use a command like the following to create the secret: 
      kubectl create secret generic <your-secret-name> \
 --from-file=serverca.pem=`<your-server-certification-name>.crt` \
--from-file=clientcert.pem=`<your-client-certification-name>.crt` \
--from-file=clientkey.pem=`<your-client-key-name>.crt` \
-n <namespace>

      The secret you create, ibm-postresql-ssl-cert-secret, is the value for the parameter database_ssl_secret_name.

What to do next

Use the name of your secret to create the configuration for an SSL database connection when you complete your CR YAML file.
The following values specify the SSL database configuration and provide the name of the SSL secret that you created:
dc_ssl_enabled: true
database_ssl_secret_name: "<postgresql ssl secret name>"
For example, for the relevant datasource for your FileNet® Content Manager deployment, your CR might look like the following sample snip:
datasource_configuration:
    # the candidate value is "db2" or "db2HADR" or "oracle" or "sqlserver" or "postgresql"
    dc_ssl_enabled: true
    dc_gcd_datasource:
      dc_database_type: "postgresql"
      ...
      database_ssl_secret_name: "ibm-postresql-ssl-cert-secret"
    dc_os_datasources:
    - dc_database_type: "postgresql"
       ...
      database_ssl_secret_name: "ibm-postgresql-ssl-cert-secret"

Also remember to add the database user name and password to the ibm-fncm-secret.