Introduction
This guide provides an approach to implementing dynamic credentials for PostgreSQL while employing SSL, with Vault deployed within a Kubernetes environment. The intricacies arise as PostgreSQL's database engine requires SSL certificate files to be housed on the Vault server's file system, owing to pgx's handling of parameters like sslrootcert, sslcert, and sslkey as paths on the Vault server. This article delineates a solution to streamline this process.
Expected Outcome
Configure dynamic credentials for PostgreSQL with SSL while Vault is deployed to a Kubernetes environment, effectively addressing the requirement of having SSL certificate files accessible on the Vault server's file system.
Prerequisites
- Vault deployed to a Kubernetes environment
- PostgreSQL instances setup
- SSL certificates for PostgreSQL instances
Procedure
- Create Kubernetes Secret for SSL Certificates
$ kubectl create secret generic psql-tls \
--namespace vault \
--from-file=your-cert-file.crt.pem=path/to/your-cert-file.crt.pem
- Modify Helm Chart to Include the Secret as an Extra Volume
Amend the Helm chart to specify the secret as an extra volume. This action will load the SSL certificates under the directory /vault/userconfig, ready for use when configuring the database connection.
server:
extraVolumes:
- type: secret
name: psql-tls # Matches kubectl get secret <name> --namespace vault
- Configure PostgreSQL Storage Backend
Modify the configuration for the PostgreSQL storage backend to include the precise connection_url, ensuring the SSL parameter directs to the correct path where the SSL certificate resides.