이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 4. Configure an alternative database for Trusted Artifact Signer


You can replace the Red Hat Trusted Artifact Signer (RHTAS) default database for Trillian with an externally managed MariaDB database instance. The database instance can be a cloud-hosted database provider, such as Amazon’s Relational Database Service (RDS), or your own database deployment in OpenShift.

4.1. Prerequisites

  • Red Hat OpenShift Container Platform version 4.13, 4.14, or 4.15.

4.2. Configuring Amazon RDS for Trusted Artifact Signer

With this procedure, you can replace Red Hat’s Trusted Artifact Signer (RHTAS) default database for Trillian with a MariaDB instance managed by Amazon’s Relational Database Service (RDS).

Important

Red Hat recommends using a highly available MariaDB database for production workloads.

Prerequisites

  • An Amazon Web Service (AWS) account with access to the Amazon RDS console.
  • Access to the OpenShift web console with the cluster-admin role.
  • A workstation with the oc, curl, and the mysql binaries installed.
  • Command-line access with privileges to create a database and populate the MariaDB instance.

Procedure

  1. Open the Amazon RDS console, and create a new MariaDB instance.

    1. Wait for the MariaDB instance to be deployed, and is available.
  2. From your workstation, log in to the new database by providing the regional endpoint, the port, and the user credentials:

    Syntax

    mysql -h REGIONAL_ENDPOINT -P 3306 -u USER_NAME -p

    Example

    $ mysql -h exampledb.1234.us-east-1.rds.amazonaws.com -P 3306 -u admin -p

  3. Create a new database named trillian:

    Example

    create database trillian;

  4. Switch to the newly created database:

    Example

    use trillian;

  5. Create a new database user named trillian, and set a PASSWORD for the newly created user:

    Syntax

    CREATE USER trillian@'%' IDENTIFIED BY 'PASSWORD';
    GRANT ALL PRIVILEGES ON trillian.* TO 'trillian'@'%';
    FLUSH PRIVILEGES;

  6. Disconnect from the database:

    Example

    EXIT

  7. Download the database configuration file:

    Example

    $ curl -o dbconfig.sql https://raw.githubusercontent.com/securesign/trillian/main/storage/mysql/schema/storage.sql

  8. Apply the database configuration to the new database:

    Syntax

    mysql -h FQDN_or_SERVICE_ADDR -P 3306 -u USER_NAME -p PASSWORD -D DB_NAME < PATH_TO_CONFIG_FILE

    Example

    $ mysql -h rhtasdb.example.com -P 3306 -u trillian -p mypassword123 -D trillian < dbconfig.sql

  9. Open a terminal on your workstation, and log in to OpenShift:

    Syntax

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT

    Example

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

    Note

    You can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.

  10. Create a new Secret containing the credentials for the Trillian database within the MariaDB instance which was created previously:

    Syntax

    oc create secret generic OBJECT_NAME \
    --from-literal=mysql-database=trillian \
    --from-literal=mysql-host=FQDN_or_SERVICE_ADDR \
    --from-literal=mysql-password=PASSWORD \
    --from-literal=mysql-port=3306 \
    --from-literal=mysql-root-password=PASSWORD \
    --from-literal=mysql-user=USER_NAME

    Example

    $ oc create secret generic trillian-mysql \
    --from-literal=mysql-database=trillian \
    --from-literal=mysql-host=mariadb.trusted-artifact-signer.svc.cluster.local \
    --from-literal=mysql-password=mypassword123 \
    --from-literal=mysql-port=3306 \
    --from-literal=mysql-root-password=myrootpassword123 \
    --from-literal=mysql-user=trillian

    You can use an OpenShift internal service name for the MariaDB instance.

  11. You can now deploy the Trusted Artifact Signer service to use this database. If you were following the Trusted Artifact Signer installation procedure, then you can proceed to the next step.

4.3. Configuring a database in OpenShift for Trusted Artifact Signer

With this procedure, you can replace Red Hat’s Trusted Artifact Signer (RHTAS) default database for Trillian with a MariaDB instance managed by Amazon’s Relational Database Service (RDS).

Important

Red Hat recommends using a highly available MariaDB database for production workloads.

Prerequisites

  • Permissions to create an OpenShift project, and deploy a database instance from the OpenShift samples catalog.
  • Access to the OpenShift web console with the cluster-admin role.
  • A workstation with the oc, curl, and the mysql binaries installed.
  • Command-line access with privileges to create a database and populate the MariaDB instance.

Procedure

  1. Log in to the OpenShift web console where you are deploying the RHTAS service:
  2. Change to the Developer perspective.
  3. Select the trusted-artifact-signer project, if the project already exists, else create a new project for the database:

    1. To create a new project, click the drop-down project menu, and click the Create Project button.
    2. Name the new project trusted-artifact-signer, and click the Create button.
  4. On the Developer Catalog card, click Database.
  5. Select MariaDB, and click the Instantiate Template button.

    Important

    Do not select MariaDB (Ephemeral).

  6. On the Instantiate Template page, configure the following fields:

    1. In the MariaDB Database Name field, enter trillian.
    2. In the Volume Capacity field, enter 5Gi.
    3. Click the Create button.
  7. Begin a remote shell session:

    1. On the Topology page, selecting the MariaDB pod brings up a side panel, click the Resources tab.
    2. Under the Pods section, click on the MariaDB pod name.
    3. Click the Terminal tab to start a remote shell session to the MariaDB pod.
  8. In the remote shell session, verify that you can connect to the Trillian database:

    Example

    $ mysql -u $MYSQL_USER -p$MYSQL_PASSWORD -D$MYSQL_DATABASE

    Note

    Credentials are stored in a secret object with the service name (mariadb), and contains the name of the database, and user name, along with the database root password. Make a note of these credentials as they will be used later on when creating the database secret object.

  9. Disconnect from the database:

    Example

    EXIT

  10. Download the database configuration file:

    Example

    $ curl -o dbconfig.sql https://raw.githubusercontent.com/securesign/trillian/main/storage/mysql/schema/storage.sql

  11. Apply the database configuration to the new database:

    Syntax

    mysql -h FQDN_or_SERVICE_ADDR -P 3306 -u USER_NAME -p PASSWORD -D DB_NAME < PATH_TO_CONFIG_FILE

    Example

    $ mysql -h rhtasdb.example.com -P 3306 -u trillian -p mypassword123 -D trillian < dbconfig.sql

  12. Open a terminal on your workstation, and log in to OpenShift:

    Syntax

    oc login --token=TOKEN --server=SERVER_URL_AND_PORT

    Example

    $ oc login --token=sha256~ZvFDBvoIYAbVECixS4-WmkN4RfnNd8Neh3y1WuiFPXC --server=https://example.com:6443

    Note

    You can find your login token and URL for use on the command line from the OpenShift web console. Log in to the OpenShift web console. Click your user name, and click Copy login command. Offer your user name and password again, if asked, and click Display Token to view the command.

  13. Create a new Secret containing the credentials for the Trillian database within the MariaDB instance which was created previously:

    Syntax

    oc create secret generic OBJECT_NAME \
    --from-literal=mysql-database=trillian \
    --from-literal=mysql-host=FQDN_or_SERVICE_ADDR \
    --from-literal=mysql-password=PASSWORD \
    --from-literal=mysql-port=3306 \
    --from-literal=mysql-root-password=PASSWORD \
    --from-literal=mysql-user=USER_NAME

    Example

    $ oc create secret generic trillian-mysql \
    --from-literal=mysql-database=trillian \
    --from-literal=mysql-host=mariadb.trusted-artifact-signer.svc.cluster.local \
    --from-literal=mysql-password=mypassword123 \
    --from-literal=mysql-port=3306 \
    --from-literal=mysql-root-password=myrootpassword123 \
    --from-literal=mysql-user=trillian

    You can use an OpenShift internal service name for the MariaDB instance.

  14. You can now deploy the Trusted Artifact Signer service to use this database. If you were following the Trusted Artifact Signer installation procedure, then you can proceed to the next step.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.