⚙️Configure an external database

At this moment, this guide doesn't cover mTLS connections to your database. It is recommended to use mTLS connections instead of plain text connections.

We'll complete this guide as soon as mTLS connections are fully tested.

If you are hosting your database elsewhere, you can configure the Toucan Helm Stack to connect to it. However, some database migrations must be executed manually.

1

Disable the embedded database

Set these parameters in your values file:

yaml: values.override.yaml
postgresql:
  enabled: false
2

Create the users and databases

Open your database client and run the following commands:

sql: Database client
CREATE USER toucan WITH PASSWORD '<password>';

-- Curity (Authentication Service)
CREATE DATABASE curity;
GRANT ALL PRIVILEGES ON DATABASE curity TO toucan;

-- Dataset
CREATE DATABASE dataset;
-- (optional) Create a schema for the dataset
CREATE SCHEMA dataset;
GRANT ALL PRIVILEGES ON DATABASE dataset TO toucan;

-- Layout
CREATE DATABASE layout;
CREATE SCHEMA layout;
CREATE SCHEMA workspace;
GRANT ALL PRIVILEGES ON DATABASE layout TO toucan;

-- SpiceDB
CREATE DATABASE spicedb;
GRANT ALL PRIVILEGES ON DATABASE spicedb TO toucan;

-- Vault
CREATE DATABASE vault;
GRANT ALL PRIVILEGES ON DATABASE vault TO toucan;
3

Execute manual migrations

Curity

Download Curity from their developer portal and run the migration in the idsvr/etc/postgres-create_database.sql directory.

Vault

Execute the migrations shown in their documentation.

4

Deploy the credentials as Secret

Create the secret with:

yaml: postgresql-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: toucan-postgresql
  namespace: toucan
stringData:
  postgresql-password: <password>
5

Configure the database connection

For the example, we assume the database is hosted at postgresql.example.com, with the default port 5432, set these parameters in your values file:

yaml: values.override.yaml
layout:
  config:
    database_postgres:
      url: 'postgresql://toucan:[[ getenv "LAYOUT_POSTGRESQL_PASSWORD" ]]@postgresql.example.com:5432/layout?schema=layout'
      url_admin: 'postgresql://toucan:[[ getenv "LAYOUT_POSTGRESQL_PASSWORD" ]]@postgresql.example.com:5432/layout?schema=layout'
    specific:
      workspace_database_postgres:
        url: 'postgresql://toucan:[[ getenv "LAYOUT_POSTGRESQL_PASSWORD" ]]@postgresql.example.com:5432/layout?schema=workspace'
        url_admin: 'postgresql://toucan:[[ getenv "LAYOUT_POSTGRESQL_PASSWORD" ]]@postgresql.example.com:5432/layout?schema=workspace'
  initconfig:
    secrets:
      LAYOUT_POSTGRESQL_PASSWORD:
        name: toucan-postgresql
        key: postgresql-password

dataset:
  config:
    schema: dataset
    url: 'postgresql://toucan:[[ getenv "DATASET_POSTGRESQL_PASSWORD" ]]@postgresql.example.com:5432/dataset'
    url_admin: 'postgresql://toucan:[[ getenv "DATASET_POSTGRESQL_PASSWORD" ]]@postgresql.example.com:5432/dataset'
  initconfig:
    secrets:
      DATASET_POSTGRESQL_PASSWORD:
        name: toucan-postgresql
        key: postgresql-password

spicedb:
  config:
    datastore:
      uri: 'postgresql://toucan:$(PG_PASSWORD)@postgresql.example.com:5432/spicedb'

  # For the init container to run migrations
  migration:
    extraEnvVars:
      - name: PG_PASSWORD
        valueFrom:
          secretKeyRef:
            name: toucan-postgresql
            key: postgresql-password

  # For the main container
  extraEnvVars:
    - name: PG_PASSWORD
      valueFrom:
        secretKeyRef:
          name: toucan-postgresql
          key: postgresql-password

vault:
  toucanEnvVars:
    - name: ADMIN_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: '{{- include "toucan-stack.curity.oauth2.secretName" . -}}'
          key: curity-toucan-admin-management-client-secret

    - name: MICRO_SERVICE_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: '{{- include "toucan-stack.curity.oauth2.secretName" . -}}'
          key: curity-toucan-micro-service-client-secret

    - name: TOUCAN_VAULT_TOKEN
      valueFrom:
        secretKeyRef:
          name: '{{- include "toucan-stack.vault.oauthapp.secretName" . -}}'
          key: vault-token

    - name: PG_PASSWORD
      valueFrom:
        secretKeyRef:
          name: 'toucan-postgresql'
          key: 'postgresql-password'

    - name: VAULT_PG_CONNECTION_URL
      value: 'postgresql://toucan:$(PG_PASSWORD)@postgresql.example.com:5432/vault'

curity:
  config:
    dataSrouce:
      connectionString: 'jdbc:postgresql://postgresql.example.com:5432/curity'
      username: toucan

      password:
        secretName: toucan-postgresql
        secretKey: postgresql-password
6

Upgrade Toucan Stack

shell: /work/
helm upgrade --install toucan-stack oci://quay.io/toucantoco/charts/toucan-stack \
  --namespace toucan \
  --values ./values.override.yaml

Last updated

Was this helpful?