PricingSign inRequest a Demo

Postgres TLS

Bindplane supports TLS and mutual TLS when connecting to Postgres.

Prerequisites

This guide assumes you already have Bindplane and Postgres deployed and configured. Before following this guide, make sure you have performed the steps in the previous Postgres Store guide.

Lastly, the guide assumes you have already configured Postgres to use TLS or mutual TLS.

SSL Mode

Before configuring TLS, familiarize yourself with the following Postgres SSL mode options. Bindplane supports four SSL mode options.

Mode
Description

disable

TLS is not used.

require

TLS is used, but does not verify the server certificate.

verify-ca

TLS is used and verifies the server certificate.

verify-full

Same as verify-ca, but with mutual TLS and a client TLS key pair is configured.

You can review the official descriptions here. Keep in mind that Bindplane supports a subset of the options found in the official Postgres documentation.

Linux

When operating Bindplane on Linux, you can enable TLS by editing the configuration file at /etc/bindplane/config.yaml.

Find the store section and modify the store.postgres sub section.

store:
  type: postgres
  maxEvents: 100
  postgres:
    host: bindplane-postgres
    port: "5432"
    connectTimeout: 30s
    database: bindplane
    username: bindplane
    password: your_password
    maxConnections: 100
    sslmode: disable

Modify store.postgres.sslmode to require or verify-ca. If using verify-ca, configure a certificate authority by setting store.postgres.sslRootCert to the path of a CA certificate file that can be used to verify the Postgres server's authenticity.

The resulting configuration file should look similar to this:

store:
  type: postgres
  maxEvents: 100
  postgres:
    host: bindplane-postgres
    port: "5432"
    connectTimeout: 30s
    database: bindplane
    username: bindplane
    password: your_password
    maxConnections: 100
+   sslmode: verify-ca
+   sslRootCert: /etc/bindplane/tls/postgres-ca.crt

NOTE

sslRootCert is not required when using verify-ca if the operating system's trust store includes your CA certificate.

Mutual TLS can be configured by setting sslmode to verify-full and including the sslCert and sslKey options.

store:
  type: postgres
  maxEvents: 100
  postgres:
    host: bindplane-postgres
    port: "5432"
    connectTimeout: 30s
    database: bindplane
    username: bindplane
    password: your_password
    maxConnections: 100
+   sslmode: verify-full
+   sslRootCert: /etc/bindplane/tls/postgres-ca.crt
+   sslCert: /etc/bindplane/tls/client.crt
+   sslKey: /etc/bindplane/tls/client.key

When copying certificates to the Bindplane server, set the filesystem ownership and permissions.

sudo chown -R bindplane:bindplane /etc/bindplane/tls
sudo chmod 0400 /etc/bindplane/tls/*

After you have re-configured Bindplane and deployed the TLS files, restart the service.

sudo systemctl restart bindplane

Watch the Bindplane log file for issues.

sudo tail -F /var/log/bindplane/bindplane.log

If the service appears stopped, and the log file is not useful, check the journal output of the service.

sudo journalctl -f --unit bindplane

If no errors are encountered, Bindplane is correctly configured to use TLS when connecting to Postgres.

Kubernetes

The Bindplane Helm Chart supports configuring Bindplane to use TLS by leveraging Kubernetes secrets.

Assuming you have the following files:

  • ca.crt: The CA certificate

  • client.crt: The mutual TLS client certificate (optional)

  • client.key: The mutual TLS client private key (optional)

Create a Kubernetes secret. Omit the client keypair if you do not intend to use mutual TLS.

kubectl create secret generic postgres-tls \
  --from-file ca.crt \
  --from-file client.crt \
  --from-file client.key

Update your values configuration to include the sslmode and sslsecret options. Use sslmode verify-ca and omit the client keypair if you are not using mutual tls.

backend:
  type: postgres
  postgres:
    host: postgres.postgres.svc.cluster.local
    database: bindplane
    username: postgres
    password: password
    maxConnections: 20
+   sslmode: verify-full # Use verify-ca if not using mutual TLS
+   sslsecret:
+     name: postgres-tls
+     sslrootcertSubPath: ca.crt
+     sslcertSubPath: client.crt # Optional, for mutual TLS
+     sslkeySubPath: client.key # Optional, for mutual TLS

Upgrade your Helm deployment to apply the changes. The Bindplane pods should restart without startup errors. If the new Bindplane pod(s) enter a crashloop, check their logs to investigate the error. If the pods come up successfully, TLS is configured and working.

PreviousPostgres StoreNextAzure LDAP

Last updated

Was this helpful?