PricingSign inRequest a Demo

Postgres TLS

Bindplane supports TLS and mutual TLS when connecting to Postgres.

Prerequisites

This guide assumes you already have Bindplane and Postgres deployed and configured. Before following this guide, make sure you have performed the steps in the previous Postgres Store guide.

Lastly, the guide assumes you have already configured Postgres to use TLS or mutual TLS.

SSL Mode

Before configuring TLS, familiarize yourself with the following Postgres SSL mode options. Bindplane supports four SSL mode options.

Mode
Description

disable

TLS is not used.

require

TLS is used, but does not verify the server certificate.

verify-ca

TLS is used and verifies the server certificate.

verify-full

Same as verify-ca, but with mutual TLS and a client TLS key pair is configured.

You can review the official descriptions here. Keep in mind that Bindplane supports a subset of the options found in the official Postgres documentation.

Linux

When operating Bindplane on Linux, you can enable TLS by editing the configuration file at /etc/bindplane/config.yaml.

Find the store section and modify the store.postgres sub section.

store:
  type: postgres
  maxEvents: 100
  postgres:
    host: bindplane-postgres
    port: "5432"
    connectTimeout: 30s
    database: bindplane
    username: bindplane
    password: your_password
    maxConnections: 100
    sslmode: disable

Modify store.postgres.sslmode to require or verify-ca. If using verify-ca, configure a certificate authority by setting store.postgres.sslRootCert to the path of a CA certificate file that can be used to verify the Postgres server's authenticity.

The resulting configuration file should look similar to this:

NOTE

sslRootCert is not required when using verify-ca if the operating system's trust store includes your CA certificate.

Mutual TLS can be configured by setting sslmode to verify-full and including the sslCert and sslKey options.

When copying certificates to the Bindplane server, set the filesystem ownership and permissions.

After you have re-configured Bindplane and deployed the TLS files, restart the service.

Watch the Bindplane log file for issues.

If the service appears stopped, and the log file is not useful, check the journal output of the service.

If no errors are encountered, Bindplane is correctly configured to use TLS when connecting to Postgres.

Kubernetes

The Bindplane Helm Chart supports configuring Bindplane to use TLS by leveraging Kubernetes secrets.

Assuming you have the following files:

  • ca.crt: The CA certificate

  • client.crt: The mutual TLS client certificate (optional)

  • client.key: The mutual TLS client private key (optional)

Create a Kubernetes secret. Omit the client keypair if you do not intend to use mutual TLS.

Update your values configuration to include the sslmode and sslsecret options. Use sslmode verify-ca and omit the client keypair if you are not using mutual tls.

Upgrade your Helm deployment to apply the changes. The Bindplane pods should restart without startup errors. If the new Bindplane pod(s) enter a crashloop, check their logs to investigate the error. If the pods come up successfully, TLS is configured and working.

PreviousPostgres StoreNextAzure LDAP

Last updated

Was this helpful?