Chapter 4. Configure an alternative database for Trusted Artifact Signer
You can replace the Red Hat Trusted Artifact Signer (RHTAS) default database for Trillian with an externally managed MariaDB database instance. The database instance can be a cloud-hosted database provider, such as Amazon’s Relational Database Service (RDS), or your own database deployment in OpenShift.
4.1. Prerequisites
- Red Hat OpenShift Container Platform version 4.13, 4.14, or 4.15.
4.2. Configuring Amazon RDS for Trusted Artifact Signer
With this procedure, you can replace Red Hat’s Trusted Artifact Signer (RHTAS) default database for Trillian with a MariaDB instance managed by Amazon’s Relational Database Service (RDS).
Red Hat recommends using a highly available MariaDB database for production workloads.
Prerequisites
- An Amazon Web Service (AWS) account with access to the Amazon RDS console.
-
Access to the OpenShift web console with the
cluster-adminrole. -
A workstation with the
oc,curl, and themysqlbinaries installed. - Command-line access with privileges to create a database and populate the MariaDB instance.
Procedure
Open the Amazon RDS console, and create a new MariaDB instance.
- Wait for the MariaDB instance to be deployed, and is available.
From your workstation, log in to the new database by providing the regional endpoint, the port, and the user credentials:
Syntax
mysql -h REGIONAL_ENDPOINT -P 3306 -u USER_NAME -p
Example
$ mysql -h exampledb.1234.us-east-1.rds.amazonaws.com -P 3306 -u admin -p
Create a new database named trillian:
Example
create database trillian;
Switch to the newly created database:
Example
use trillian;
Create a new database user named
trillian, and set a PASSWORD for the newly created user:Syntax
CREATE USER trillian@'%' IDENTIFIED BY 'PASSWORD'; GRANT ALL PRIVILEGES ON trillian.* TO 'trillian'@'%'; FLUSH PRIVILEGES;Disconnect from the database:
Example
EXIT
Download the database configuration file:
Example
$ curl -o dbconfig.sql https://raw.githubusercontent.com/securesign/trillian/main/storage/mysql/schema/storage.sql
Apply the database configuration to the new database:
Syntax
mysql -h FQDN_or_SERVICE_ADDR -P 3306 -u USER_NAME -p PASSWORD -D DB_NAME < PATH_TO_CONFIG_FILE
Example
$ mysql -h rhtasdb.example.com -P 3306 -u trillian -p mypassword123 -D trillian < dbconfig.sql
Open a terminal on your workstation, and log in to OpenShift:
Syntax
oc login --token=TOKEN --server=SERVER_URL_AND_PORT
Example
$ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443
NoteYou can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.
Create a new Secret containing the credentials for the Trillian database within the MariaDB instance which was created previously:
Syntax
oc create secret generic OBJECT_NAME \ --from-literal=mysql-database=trillian \ --from-literal=mysql-host=FQDN_or_SERVICE_ADDR \ --from-literal=mysql-password=PASSWORD \ --from-literal=mysql-port=3306 \ --from-literal=mysql-root-password=PASSWORD \ --from-literal=mysql-user=USER_NAME
Example
$ oc create secret generic trillian-mysql \ --from-literal=mysql-database=trillian \ --from-literal=mysql-host=mariadb.trusted-artifact-signer.svc.cluster.local \ --from-literal=mysql-password=mypassword123 \ --from-literal=mysql-port=3306 \ --from-literal=mysql-root-password=myrootpassword123 \ --from-literal=mysql-user=trillian
You can use an OpenShift internal service name for the MariaDB instance.
- You can now deploy the Trusted Artifact Signer service to use this database. If you were following the Trusted Artifact Signer installation procedure, then you can proceed to the next step.
Additional resources
4.3. Configuring a database in OpenShift for Trusted Artifact Signer
With this procedure, you can replace Red Hat’s Trusted Artifact Signer (RHTAS) default database for Trillian with a MariaDB instance managed by Amazon’s Relational Database Service (RDS).
Red Hat recommends using a highly available MariaDB database for production workloads.
Prerequisites
- Permissions to create an OpenShift project, and deploy a database instance from the OpenShift samples catalog.
-
Access to the OpenShift web console with the
cluster-adminrole. -
A workstation with the
oc,curl, and themysqlbinaries installed. - Command-line access with privileges to create a database and populate the MariaDB instance.
Procedure
- Log in to the OpenShift web console where you are deploying the RHTAS service:
- Change to the Developer perspective.
Select the
trusted-artifact-signerproject, if the project already exists, else create a new project for the database:- To create a new project, click the drop-down project menu, and click the Create Project button.
-
Name the new project
trusted-artifact-signer, and click the Create button.
- On the Developer Catalog card, click Database.
Select MariaDB, and click the Instantiate Template button.
ImportantDo not select MariaDB (Ephemeral).
On the Instantiate Template page, configure the following fields:
-
In the MariaDB Database Name field, enter
trillian. -
In the Volume Capacity field, enter
5Gi. - Click the Create button.
-
In the MariaDB Database Name field, enter
Begin a remote shell session:
- On the Topology page, selecting the MariaDB pod brings up a side panel, click the Resources tab.
- Under the Pods section, click on the MariaDB pod name.
- Click the Terminal tab to start a remote shell session to the MariaDB pod.
In the remote shell session, verify that you can connect to the Trillian database:
Example
$ mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -D$MYSQL_DATABASE
NoteCredentials are stored in a secret object with the service name (
mariadb), and contains the name of the database, and user name, along with the database root password. Make a note of these credentials as they will be used later on when creating the database secret object.Disconnect from the database:
Example
EXIT
Download the database configuration file:
Example
$ curl -o dbconfig.sql https://raw.githubusercontent.com/securesign/trillian/main/storage/mysql/schema/storage.sql
Apply the database configuration to the new database:
Syntax
mysql -h FQDN_or_SERVICE_ADDR -P 3306 -u USER_NAME -p PASSWORD -D DB_NAME < PATH_TO_CONFIG_FILE
Example
$ mysql -h rhtasdb.example.com -P 3306 -u trillian -p mypassword123 -D trillian < dbconfig.sql
Open a terminal on your workstation, and log in to OpenShift:
Syntax
oc login --token=TOKEN --server=SERVER_URL_AND_PORT
Example
$ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443
NoteYou can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.
Create a new Secret containing the credentials for the Trillian database within the MariaDB instance which was created previously:
Syntax
oc create secret generic OBJECT_NAME \ --from-literal=mysql-database=trillian \ --from-literal=mysql-host=FQDN_or_SERVICE_ADDR \ --from-literal=mysql-password=PASSWORD \ --from-literal=mysql-port=3306 \ --from-literal=mysql-root-password=PASSWORD \ --from-literal=mysql-user=USER_NAME
Example
$ oc create secret generic trillian-mysql \ --from-literal=mysql-database=trillian \ --from-literal=mysql-host=mariadb.trusted-artifact-signer.svc.cluster.local \ --from-literal=mysql-password=mypassword123 \ --from-literal=mysql-port=3306 \ --from-literal=mysql-root-password=myrootpassword123 \ --from-literal=mysql-user=trillian
You can use an OpenShift internal service name for the MariaDB instance.
- You can now deploy the Trusted Artifact Signer service to use this database. If you were following the Trusted Artifact Signer installation procedure, then you can proceed to the next step.
Additional resources
