You can configure an external PostgreSQL instance by using the Helm Chart. By default, the Helm Chart creates and manages a local instance of PostgreSQL in the same namespace where you have deployed the {product-very-short} instance. However, you can change this default setting to configure an external PostgreSQL database server, for example, Amazon Web Services (AWS) Relational Database Service (RDS) or Azure database.
-
You meet the {about-book-link}#rhdh-sizing_about-rhdh[Sizing requirements for external PostgreSQL deployments].
-
You are using a supported version of PostgreSQL. For more information, see the Product life cycle page.
-
You have the following details:
-
db-host: Denotes your PostgreSQL instance Domain Name System (DNS) or IP address -
db-port: Denotes your PostgreSQL instance port number, such as5432 -
username: Denotes the user name to connect to your PostgreSQL instance -
password: Denotes the password to connect to your PostgreSQL instance
-
-
You have installed the {product-very-short} application by using the Helm Chart.
-
Optional: You have a CA certificate, Transport Layer Security (TLS) private key, and TLS certificate so that you can secure your database connection by using the TLS protocol. For more information, refer to your PostgreSQL vendor documentation.
|
Note
|
By default, {product-short} uses a database for each plugin and automatically creates it if none is found. You might need the |
-
Optional: Create a certificate secret to configure your PostgreSQL instance with a TLS connection:
$ cat <<EOF | oc -n <your-namespace> create -f - apiVersion: v1 kind: Secret metadata: name: {my-product-database-certificates-secrets} (1) type: Opaque stringData: postgres-ca.pem: |- -----BEGIN CERTIFICATE----- <ca-certificate-key> (2) postgres-key.key: |- -----BEGIN CERTIFICATE----- <tls-private-key> (3) postgres-crt.pem: |- -----BEGIN CERTIFICATE----- <tls-certificate-key> (4) # ... EOF-
Provide the name of the certificate secret.
-
Provide the CA certificate key.
-
Optional: Provide the TLS private key.
-
Optional: Provide the TLS certificate key.
-
-
Create a credential secret to connect with the PostgreSQL instance:
$ cat <<EOF | oc -n <your-namespace> create -f - apiVersion: v1 kind: Secret metadata: name: {my-product-database-secrets} (1) type: Opaque stringData: (2) POSTGRES_PASSWORD: <password> POSTGRES_PORT: "<db-port>" POSTGRES_USER: <username> POSTGRES_HOST: <db-host> PGSSLMODE: <ssl-mode> # for TLS connection (3) NODE_EXTRA_CA_CERTS: <abs-path-to-pem-file> # for TLS connection, e.g. /opt/app-root/src/postgres-crt.pem (4) EOF-
Provide the name of the credential secret.
-
Provide credential data to connect with your PostgreSQL instance.
-
Optional: Provide the value based on the required Secure Sockets Layer (SSL) mode.
-
Optional: Provide the value only if you need a TLS connection for your PostgreSQL instance.
-
-
Configure your PostgreSQL instance in the Helm configuration file named
values.yaml:# ... upstream: postgresql: enabled: false # disable PostgreSQL instance creation (1) auth: existingSecret: {my-product-database-secrets} # inject credentials secret to Backstage (2) backstage: appConfig: backend: database: connection: # configure Backstage DB connection parameters host: ${POSTGRES_HOST} port: ${POSTGRES_PORT} user: ${POSTGRES_USER} password: ${POSTGRES_PASSWORD} ssl: rejectUnauthorized: true, ca: $file: /opt/app-root/src/postgres-ca.pem key: $file: /opt/app-root/src/postgres-key.key cert: $file: /opt/app-root/src/postgres-crt.pem extraEnvVarsSecrets: - {my-product-database-secrets} # inject credentials secret to Backstage (3) extraEnvVars: - name: BACKEND_SECRET valueFrom: secretKeyRef: key: backend-secret name: '{{ include "janus-idp.backend-secret-name" $ }}' extraVolumeMounts: - mountPath: /opt/app-root/src/dynamic-plugins-root name: dynamic-plugins-root - mountPath: /opt/app-root/src/postgres-crt.pem name: postgres-crt # inject TLS certificate to Backstage cont. (4) subPath: postgres-crt.pem - mountPath: /opt/app-root/src/postgres-ca.pem name: postgres-ca # inject CA certificate to Backstage cont. (5) subPath: postgres-ca.pem - mountPath: /opt/app-root/src/postgres-key.key name: postgres-key # inject TLS private key to Backstage cont. (6) subPath: postgres-key.key extraVolumes: - ephemeral: volumeClaimTemplate: spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi name: dynamic-plugins-root - configMap: defaultMode: 420 name: dynamic-plugins optional: true name: dynamic-plugins - name: dynamic-plugins-npmrc secret: defaultMode: 420 optional: true secretName: '{{ printf "%s-dynamic-plugins-npmrc" .Release.Name }}' - name: postgres-crt secret: secretName: {my-product-database-certificates-secrets} (7) # ...
-
Set the value of the
upstream.postgresql.enabledparameter tofalseto disable creating local PostgreSQL instances. -
Provide the name of the credential secret.
-
Provide the name of the credential secret.
-
Optional: Provide the name of the TLS certificate only for a TLS connection.
-
Optional: Provide the name of the CA certificate only for a TLS connection.
-
Optional: Provide the name of the TLS private key only if your TLS connection requires a private key.
-
Provide the name of the certificate secret if you have configured a TLS connection.
-
-
Apply the configuration changes in your Helm configuration file named
values.yaml:$ helm upgrade -n <your-namespace> <your-deploy-name> openshift-helm-charts/redhat-developer-hub -f values.yaml --version {product-chart-version}