Connect SignServer to External Database

All production deployments of SignServer should use an external database for data persistence.

For information on supported databases for each deployment and how to use database clustering, see Supported Databases and High Availability and Clustering.

The following sections provides examples for connecting to different databases.

Use a Kubernetes Secret for Credentials

You can create a secret or use an existing secret to reference.

Create the Kubernetes Secret

Create a Kubernetes secret to store the database credentials, then reference it in values.yaml using envFrom to make all keys and values available to SignServer.

  1. Create a dedicated Kubernetes secret for storing the database credentials:

    Bash
    kubectl create secret generic signserver-db-credentials \
        --from-literal=DATABASE_USER='signserver' \
        --from-literal=DATABASE_PASSWORD='foo123'
    
  2. Make all keys and values of the secret available to SignServer by referencing it in values.yaml:

    YAML
    signserver:
      env:
        DATABASE_JDBC_URL: <jdbc connection string>
      envFrom:
        - secretRef:
            name: signserver-db-credentials
    

Property

Description

DATABASE_JDBC_URL

Specify the JDBC URL.

DATABASE_USER

(Optional) The username part of the credentials to access the external database. Not required for use of the H2 database.

DATABASE_PASSWORD

(Optional) The password part of the credentials to access the external database. Not required for use of the H2 database.

Reference Specific Credentials

Reference specific credentials in an existing secret, for example, signserver-credentials using envRaw:

YAML
signserver:
  env:
    DATABASE_JDBC_URL: <jdbc connection string>
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
       secretKeyRef:
         name: signserver-credentials
         key: database_password
    - name: DATABASE_USER
      valueFrom:
       secretKeyRef:
         name: signserver-credentials
         key: database_user 

Use Plain Text Values

This method is only recommended for testing purposes.

For testing, you can optionally use env and plain text values:

YAML
signserver:
  env:
    DATABASE_JDBC_URL: <jdbc connection string>
    DATABASE_USER: signserver
    DATABASE_PASSWORD: foo123

Database Connection Examples

The following examples show how to connect SignServer to common databases.

MariaDB/MySQL

The following example shows modifications to the helm chart values file used to connect to a MariaDB database or MySQL database with server name mariadb-server and database name signserverdb using username signserver and password foo123:

YAML
signserver:
  useEphemeralH2Database: false
  env:
    DATABASE_JDBC_URL: "jdbc:mariadb://signserver-mariadb:3306/signserverdb?characterEncoding=utf8"
    DATABASE_USER: signserver
    DATABASE_PASSWORD: foo123

Use jdbc:mariadb even when connecting to a MySQL database. The JDBC driver supports both MariaDB and MySQL.

PostgreSQL

The following example connects SignServer to a PostgreSQL database and uses a Kubernetes secret for storing the database username and password:

YAML
signserver:
  useEphemeralH2Database: false
  env:
    DATABASE_JDBC_URL: jdbc:postgresql://postgresql-server:5432/signserverdb
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
       secretKeyRef:
         name: signserver-db-credentials
         key: database_password
    - name: DATABASE_USER
      valueFrom:
       secretKeyRef:
         name: signserver-db-credentials
         key: database_user

Microsoft SQL Server or Azure SQL

The following example connects SignServer to a Microsoft SQL Server database:

YAML
signserver:
  env:
    DATABASE_JDBC_URL: jdbc:sqlserver://mssql-server:1433;DatabaseName=signserver;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;sendStringParametersAsUnicode=false
  envFrom:
    - secretRef:
        name: signserver-db-credentials

Oracle

The following example connects SignServer to an Oracle database using a secret that contains DATABASE_USER and DATABASE_PASSWORD keys:

YAML
signserver:
  env:
    DATABASE_JDBC_URL: jdbc:oracle:thin:@//oracle-server:1521/signserver
  envFrom:
    - secretRef:
        name: signserver-db-credentials