All production deployments of SignServer should use an external database for data persistence.
For information on supported databases for each deployment and how to use database clustering, see Supported Databases and High Availability and Clustering.
The following sections provides examples for connecting to different databases.
Use a Kubernetes Secret for Credentials
You can create a secret or use an existing secret to reference.
Create the Kubernetes Secret
Create a Kubernetes secret to store the database credentials, then reference it in values.yaml using envFrom to make all keys and values available to SignServer.
-
Create a dedicated Kubernetes secret for storing the database credentials:
Bashkubectl create secret generic signserver-db-credentials \ --from-literal=DATABASE_USER='signserver' \ --from-literal=DATABASE_PASSWORD='foo123' -
Make all keys and values of the secret available to SignServer by referencing it in
values.yaml:YAMLsignserver: env: DATABASE_JDBC_URL: <jdbc connection string> envFrom: - secretRef: name: signserver-db-credentials
|
Property |
Description |
|---|---|
|
|
Specify the JDBC URL. |
|
|
(Optional) The username part of the credentials to access the external database. Not required for use of the H2 database. |
|
|
(Optional) The password part of the credentials to access the external database. Not required for use of the H2 database. |
Reference Specific Credentials
Reference specific credentials in an existing secret, for example, signserver-credentials using envRaw:
signserver:
env:
DATABASE_JDBC_URL: <jdbc connection string>
envRaw:
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: signserver-credentials
key: database_password
- name: DATABASE_USER
valueFrom:
secretKeyRef:
name: signserver-credentials
key: database_user
Use Plain Text Values
This method is only recommended for testing purposes.
For testing, you can optionally use env and plain text values:
signserver:
env:
DATABASE_JDBC_URL: <jdbc connection string>
DATABASE_USER: signserver
DATABASE_PASSWORD: foo123
Database Connection Examples
The following examples show how to connect SignServer to common databases.
MariaDB/MySQL
The following example shows modifications to the helm chart values file used to connect to a MariaDB database or MySQL database with server name mariadb-server and database name signserverdb using username signserver and password foo123:
signserver:
useEphemeralH2Database: false
env:
DATABASE_JDBC_URL: "jdbc:mariadb://signserver-mariadb:3306/signserverdb?characterEncoding=utf8"
DATABASE_USER: signserver
DATABASE_PASSWORD: foo123
Use jdbc:mariadb even when connecting to a MySQL database. The JDBC driver supports both MariaDB and MySQL.
PostgreSQL
The following example connects SignServer to a PostgreSQL database and uses a Kubernetes secret for storing the database username and password:
signserver:
useEphemeralH2Database: false
env:
DATABASE_JDBC_URL: jdbc:postgresql://postgresql-server:5432/signserverdb
envRaw:
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: signserver-db-credentials
key: database_password
- name: DATABASE_USER
valueFrom:
secretKeyRef:
name: signserver-db-credentials
key: database_user
Microsoft SQL Server or Azure SQL
The following example connects SignServer to a Microsoft SQL Server database:
signserver:
env:
DATABASE_JDBC_URL: jdbc:sqlserver://mssql-server:1433;DatabaseName=signserver;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;sendStringParametersAsUnicode=false
envFrom:
- secretRef:
name: signserver-db-credentials
Oracle
The following example connects SignServer to an Oracle database using a secret that contains DATABASE_USER and DATABASE_PASSWORD keys:
signserver:
env:
DATABASE_JDBC_URL: jdbc:oracle:thin:@//oracle-server:1521/signserver
envFrom:
- secretRef:
name: signserver-db-credentials