This is an easy way to have Conjur use an external PostgreSQL database instead of the one bundled in the provided Docker-compose file. This will keep your data persistent during a restart of the Docker containers.
BACKUP YOUR DATABASE BEFORE CONTINUING
BACKUP YOUR CONJUR DATA KEY BEFORE CONTINUING
Prerequisite
- A working Conjur instance. You can set this up easily by following the Quick Start Tutorial.
Set up a PostgreSQL Server
First, you’re going to need a new PostgreSQL server to replace the containerized one. This can be done by following the documentation on the PostgreSQL site for the specific operating system you are hosting it on. You can host the server locally or remotely depending on what works for your organization.
The current(as of writing this) maximum supported version of PostgreSQL with Conjur is 9.4.
An optional step would be to move the data you backed up from the Postgres database in the Docker container to your new separate database.
Change Database in Docker-Compose
Next, you’re going to need to change the environment variables that are in container that hosts the Conjur server. If you start your Conjur cluster with a docker-compose.yml file you can just edit that. This is the standard Conjur docker-compose file that’s been edited to use a standalone PostgreSQL database:version: '2'
services:
openssl:
image: svagi/openssl:latest
container_name: openssl
entrypoint:
- openssl
- req
- -newkey
- rsa:2048
- -days
- "365"
- -nodes
- -x509
- -config
- tmp/conf/tls.conf
- -extensions
- v3_ca
- -keyout
- tmp/conf/nginx.key
- -out
- tmp/conf/nginx.crt
volumes:
- ./conf/tls/:/tmp/conf
conjur:
image: cyberark/conjur
container_name: conjur_server
command: server
environment:
DATABASE_URL: ***INSERT DATABASE ADDRESS***
CONJUR_DATA_KEY: ***INSERT DATA KEY***
proxy:
image: nginx:1.13.6-alpine
container_name: nginx_proxy
ports:
- "8443:443"
volumes:
- ./conf/default.conf:/etc/nginx/conf.d/default.conf:ro
- ./conf/tls/nginx.key:/etc/nginx/nginx.key:ro
- ./conf/tls/nginx.crt:/etc/nginx/nginx.crt:ro
depends_on: [ conjur ]
client:
image: cyberark/conjur-cli:5
container_name: conjur_client
depends_on: [ proxy ]
entrypoint: sleep
command: infinity
volumes:
- ./conf/policy:/policy
The changes in this sample docker-compose file are:
- removing the
postgres
container - removing the dependency of the database from the
conjur
container - updating the database address
Before starting the Conjur instance, instead of hardcoding your database url and data key into the docker-compose file, you could also change the DATABASE_URL
and CONJUR_DATA_KEY
environment variables. Example:
export CONJUR_DATA_KEY="$(< data_key)"
export DATABASE_URL="$(< database_url)"
Just make sure you keep those values in a safe location. If you lose the data key you cannot get it back and your data is lost.
After all of this, you can enjoy the peace of mind that your data in Conjur will be safe in the event that the Docker containers are shut down.