External database

Business Teams Service (BTS) can be configured with an external database. By default, BTS deploys the integrated EDB PostgreSQL database automatically in the Red Hat OpenShift cluster. You can also configure the external database for the BTS with one of the following methods:

Configuring an external database with the BTS custom resource

The BTS custom resource can be used to configure an external database connection for the BTS service. You must specify the spec.databaseConfig parameter in the YAML file to configure the database. For more information about the spec.databaseConfig parameter, see CRD API Reference.

The sample database configuration is as follows:

    apiVersion: operator.ibm.com/v1alpha1
    kind: BusinessTeamsService
    metadata:
      name: bts
      namespace: cp4ba
    spec:
      databaseConfig:
        serverName: mypostgresql.ibm.com
        portNumber: 5432
        databaseName: umsdb02
        userSecretName: postgresql-user
        ssl: "true"
        sslMode: verify-ca
        sslSecretName: postgres-ssl

If you set the databaseConfig parameter, BTS data is hosted in an existing database and the default EDB PostgreSQL installation is not deployed for the BTS installation.

You can configure the databaseConfig parameter with the properties such as serverName, portNumber, and databaseName. The properties define the database endpoint and name that can be used to configure the database. BTS creates the necessary tables automatically in the configured database.

The userSecretName parameter directs to an existing secret in the same namespace where BTS is installed. The following is a sample secret for the userSecretName parameter:

   apiVersion: v1
   kind: Secret
   metadata:
     name: postgresql-user
   type: Opaque
   stringData:
     username: "postgres"
     password: "Passw0rd"

The values of the username and password parameters in the secret are the credentials for login to the database.

SSL configuration

You can enable SSL encryption to create a private communication between the BTS and the database. To enable the SSL encryption, set the ssl: "true" parameter in the yaml file.

Set the values of sslMode parameter with verify-ca or verify-full to validate the certificate of the database. For more information, see PostgreSQL JDBC connection parameters.

Note: If you need to verify the certificate of the database only, set sslMode with verify-ca. If you need to verify the certificate and hostname of the database, set sslMode with verify-full.

The following is a sample configuration with SSL encryption:

    apiVersion: operator.ibm.com/v1alpha1
    kind: BusinessTeamsService
    metadata:
      name: bts
      namespace: cp4ba
    spec:
      databaseConfig:
        serverName: mypostgresql.ibm.com
        portNumber: 5432
        databaseName: umsdb02
        userSecretName: postgresql-user
        ssl: "true"
        sslMode: verify-ca
        sslSecretName: postgres-ssl

The sslSecretName parameter directs to an existing secret in the same namespace where BTS is installed. The following is an example of the secret with the postgres-ssl secret name:

   apiVersion: v1
   kind: Secret
   metadata:
     name: postgres-ssl
   type: Opaque
   stringData:
     ca.crt: |-
       -----BEGIN CERTIFICATE-----
       ...<PEM encoded CA certificate>...
       -----END CERTIFICATE-----
     tls.crt: |-
       -----BEGIN CERTIFICATE-----
       ...<PEM encoded certificate>...
       -----END CERTIFICATE-----

In the example, ca.crt and tls.crt are the keys of the secret that contain the respective certificate data as PEM encoded strings. You can also set only one of the keys and the content of the secret is mounted in the BTS container. ca.crt and tls.crt are the values of the sslrootcert and sslcert parameters of the data source. For more information, see PostgreSQL JDBC connection parameters.

SSL client certificate authentication

BTS can be used with SSL client certificate authentication. The following is a sample configuration with SSL client certificate authentication:

    apiVersion: operator.ibm.com/v1alpha1
    kind: BusinessTeamsService
    metadata:
      name: bts
      namespace: cp4ba
    spec:
      databaseConfig:
        serverName: mypostgresql.ibm.com
        portNumber: 5432
        databaseName: umsdb02
        ssl: "true"
        sslMode: verify-ca
        sslSecretName: postgres-ssl
        customProperties:
        - name: sslkey
          value: "/opt/ibm/wlp/usr/shared/resources/security/db/clientkey.pk8"
        - name: user
          value: postgres

Note: SSL client-certificate authentication method does not require a password and it is not necessary to set the userSecretName parameter. You can specify the sslkey and user custom properties to indicate the location of the client key and name of the user.

The following is an example of the SSL secret postgres-ssl:

   apiVersion: v1
   kind: Secret
   metadata:
     name: postgres-ssl
   type: Opaque
   data:
     ca.crt: ...base64 encoded data...
     tls.crt: ...base64 encoded data...
     clientkey.pk8: ...base64 encoded data...

You can create the secret with the following command:

`oc create secret generic postgres-ssl --dry-run=client --from-file=clientkey.pk8=myclientkey.pk8 --from-file=ca.crt=ca.crt --from-file=tls.crt=tls.crt -oyaml >postgres-ssl.yaml`

The command assumes that the myclientkey.pk8, ca.crt, and tls.crt files are located in the same folder. The command creates a new postgres-ssl.yaml file with the secret in the same folder.

Note: The client key in PEM format needs to be converted to pk8 format before you create the secret. Run the following command to convert the format:

`openssl pkcs8 -topk8 -inform PEM -in myclientkey.pem -outform DER -nocrypt -out myclientkey.pk8`

Custom properties

You can set the custom properties to manage the special configuration cases. The following is an example of the custom properties:

   apiVersion: operator.ibm.com/v1alpha1
   kind: BusinessTeamsService
   metadata:
     name: bts
     namespace: cp4ba
   spec:
     databaseConfig:
       userSecretName: postgresql-user
       customProperties:
       - name: connectTimeout
         value: "5"
       - name: URL
         value: jdbc:postgresql://mypostgresql.ibm.com:5432/umsdb02

For example, the JDBC URL and connectTimeout properties are directly added in the customProperties parameter. It is not necessary to specify the host, port, and database name in the databaseConfig section when you directly specify URL in the customProperties parameter. The value of connectTimeout is set to 5 seconds.

Note: Set the userSecretName parameter in the spec.databaseConfig section to authenticate the database with the credentials in a confidential way. It is not recommended to set the username and password directly in the custom properties.

For more information about the supported customProperties, see PostgreSQL JDBC connection parameters.

Configuring an external database with the Kubernetes ConfigMap

You can use a Kubernetes ConfigMap to configure an external database connection for the BTS. The parameters that are specified in the Kubernetes ConfigMap are the same as in the BTS custom resource. For more information about the parameters, SSL configuration, and custom properties, see Configuring an external database with the BTS custom resource.

The following is a sample ConfigMap:

   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: ibm-bts-config-extension
     namespace: cp4ba
   data:
     serverName: unwon1.fyre.ibm.com
     portNumber: "5432"
     databaseName: umsdb02
     ssl: "true"
     sslMode: verify-ca
     sslSecretName: postgres-ssl
     userSecretName: postgresql-user
     customPropertyName1: connectTimeout
     customPropertyValue1: "5"
     customPropertyName2: URL
     customPropertyValue2: "jdbc:postgresql://unwon1.fyre.ibm.com:5432/umsdb02"

The custom properties are defined in a numbered way such as customPropertyName1, customPropertyValue1, customPropertyName2, and customPropertyValue2 to pass the name and value of the specified custom properties.

For example, the connectTimeout and URL properties are specified in the customPropertyName1 and customPropertyName2 parameters. The values of the connectTimeout and URL properties are specified in the customPropertyValue1 and customPropertyValue1 parameters.