Complimentary Gartner® Report! 'A CTO's Guide to Open-Source Software: Answering the Top 10 FAQs.'Read more

Postgres TLS

BindPlane OP supports TLS and mutual TLS when connecting to Postgres.

Prerequisites

This guide assumes you already have BindPlane OP and Postgres deployed and configured. Before following this guide, make sure you have performed the steps in the previous Postgres Store guide.

Lastly, the guide assumes you have already configured Postgres to use TLS or mutual TLS.

SSL Mode

Before configuring TLS, familiarize yourself with the following Postgres SSL mode options. BindPlane supports four SSL mode options.

ModeDescription
disableTLS is not used.
requireTLS is used, but does not verify the server certificate.
verify-caTLS is used and verifies the server certificate.
verify-fullSame as verify-ca, but with mutual TLS and a client TLS key pair is configured.

You can review the official descriptions here. Keep in mind that BindPlane supports a subset of the options found in the official Postgres documentation.

Linux

When operating BindPlane OP on Linux, you can enable TLS by editing the configuration file at /etc/bindplane/config.yaml.

Find the store section and modify the store.postgres sub section.

yaml
1store:
2  type: postgres
3  maxEvents: 100
4  postgres:
5    host: bindplane-postgres
6    port: "5432"
7    connectTimeout: 30s
8    database: bindplane
9    username: bindplane
10    password: your_password
11    maxConnections: 100
12    sslmode: disable

Modify store.postgres.sslmode to require or verify-ca. If using verify-ca, configure a certificate authority by setting store.postgres.sslRootCert to the path of a CA certificate file that can be used to verify the Postgres server's authenticity.

The resulting configuration file should look similar to this:

yaml
1store:
2  type: postgres
3  maxEvents: 100
4  postgres:
5    host: bindplane-postgres
6    port: "5432"
7    connectTimeout: 30s
8    database: bindplane
9    username: bindplane
10    password: your_password
11    maxConnections: 100
12+   sslmode: verify-ca
13+   sslRootCert: /etc/bindplane/tls/postgres-ca.crt

note

sslRootCert is not required when using verify-ca if the operating system's trust store includes your CA certificate.

Mutual TLS can be configured by setting sslmode to verify-full and including the sslCert and sslKey options.

yaml
1store:
2  type: postgres
3  maxEvents: 100
4  postgres:
5    host: bindplane-postgres
6    port: "5432"
7    connectTimeout: 30s
8    database: bindplane
9    username: bindplane
10    password: your_password
11    maxConnections: 100
12+   sslmode: verify-full
13+   sslRootCert: /etc/bindplane/tls/postgres-ca.crt
14+   sslCert: /etc/bindplane/tls/client.crt
15+   sslKey: /etc/bindplane/tls/client.key

When copying certificates to the BindPlane server, set the filesystem ownership and permissions.

bash
1sudo chown -R bindplane:bindplane /etc/bindplane/tls
2sudo chmod 0400 /etc/bindplane/tls/*

After you have re-configured BindPlane and deployed the TLS files, restart the service.

bash
1sudo systemctl restart bindplane

Watch the BindPlane log file for issues.

bash
1sudo tail -F /var/log/bindplane/bindplane.log

If the service appears stopped, and the log file is not useful, check the journal output of the service.

bash
1sudo journalctl -f --unit bindplane

If no errors are encountered, BindPlane is correctly configured to use TLS when connecting to Postgres.

Kubernetes

The BindPlane OP Helm Chart supports configuring BindPlane to use TLS by leveraging Kubernetes secrets.

Assuming you have the following files:

  • ca.crt: The CA certificate
  • client.crt: The mutual TLS client certificate (optional)
  • client.key: The mutual TLS client private key (optional)

Create a Kubernetes secret. Omit the client keypair if you do not intend to use mutual TLS.

bash
1kubectl create secret generic postgres-tls \
2  --from-file ca.crt \
3  --from-file client.crt \
4  --from-file client.key

Update your values configuration to include the sslmode and sslsecret options. Use sslmode verify-ca and omit the client keypair if you are not using mutual tls.

yaml
1backend:
2  type: postgres
3  postgres:
4    host: postgres.postgres.svc.cluster.local
5    database: bindplane
6    username: postgres
7    password: password
8    maxConnections: 20
9+   sslmode: verify-full # Use verify-ca if not using mutual TLS
10+   sslsecret:
11+     name: postgres-tls
12+     sslrootcertSubPath: ca.crt
13+     sslcertSubPath: client.crt # Optional, for mutual TLS
14+     sslkeySubPath: client.key  # Optional, for mutaul TLS

Upgrade your Helm deployment to apply the changes. The BindPlane pods should restart without startup errors. If the new BindPlane pod(s) enter a crashloop, check their logs to investigate the error. If the pods come up successfully, TLS is configured and working.