Configure SSL/TLS connection to databases

Enforcing SSL/TLS on the connection to the databases ensures the communication between the database server and the clients is encrypted, which is a recommended practice.

Database infrastructure configuration

The specific database server configuration is out of scope of the ESS configuration. Depending on the database infrastructure you chose to support your ESS deployment, configuration details may vary.

Once SSL/TLS is enabled, obtain the Certificate Authority (CA) public root certificate bundle in PEM format. Clients need this certificate bundle to encrypt traffic to the database server.

Mounting the database CA bundle on the containers

The ESS kustomizer includes a component that consumes the CA certificate bundle and mounts it on the containers that need to access the database. Here is how to enable it:

1. Defined a Secret in your kustomization named database-ca-bundle, with an item named database-ca-bundle.pem that contains the CA certificate bundle from your database server.

secretGenerator:
  - name: database-ca-bundle
    files:
      - database-ca-bundle.pem

1. Include ../release/ess/deployment/kubernetes/components/add-databases-ca/ in your root kustomization.yaml file

This will result in the database bundle being mounted on the path /opt/cacerts/db/database-ca-bundle.pem.

Configuring the JDBC URL

In order for your client to enforce SSL/TLS, the following parameters need to be added to the JDBC URLs that are configured as part of the Postgres credentials: ssl=true&sslmode=verify-full&sslrootcert=/opt/cacerts/db/database-ca-bundle.pem.