This is an easy way to have Conjur use an external PostgreSQL database instead of the one bundled in the provided Docker-compose file. This will keep your data persistent during a restart of the Docker containers.
BACKUP YOUR DATABASE BEFORE CONTINUING
BACKUP YOUR CONJUR DATA KEY BEFORE CONTINUING
- A working Conjur instance. You can set this up easily by following the Quick Start Tutorial.
Set up a PostgreSQL Server
First, you’re going to need a new PostgreSQL server to replace the containerized one. This can be done by following the documentation on the PostgreSQL site for the specific operating system you are hosting it on. You can host the server locally or remotely depending on what works for your organization.
The current(as of writing this) maximum supported version of PostgreSQL with Conjur is 9.4.
An optional step would be to move the data you backed up from the Postgres database in the Docker container to your new separate database.
Change Database in Docker-ComposeNext, you’re going to need to change the environment variables that are in container that hosts the Conjur server. If you start your Conjur cluster with a docker-compose.yml file you can just edit that. This is the standard Conjur docker-compose file that’s been edited to use a standalone PostgreSQL database:
version: '2' services: openssl: image: svagi/openssl:latest container_name: openssl entrypoint: - openssl - req - -newkey - rsa:2048 - -days - "365" - -nodes - -x509 - -config - tmp/conf/tls.conf - -extensions - v3_ca - -keyout - tmp/conf/nginx.key - -out - tmp/conf/nginx.crt volumes: - ./conf/tls/:/tmp/conf conjur: image: cyberark/conjur container_name: conjur_server command: server environment: DATABASE_URL: ***INSERT DATABASE ADDRESS*** CONJUR_DATA_KEY: ***INSERT DATA KEY*** proxy: image: nginx:1.13.6-alpine container_name: nginx_proxy ports: - "8443:443" volumes: - ./conf/default.conf:/etc/nginx/conf.d/default.conf:ro - ./conf/tls/nginx.key:/etc/nginx/nginx.key:ro - ./conf/tls/nginx.crt:/etc/nginx/nginx.crt:ro depends_on: [ conjur ] client: image: cyberark/conjur-cli:5 container_name: conjur_client depends_on: [ proxy ] entrypoint: sleep command: infinity volumes: - ./conf/policy:/policy
The changes in this sample docker-compose file are:
- removing the
- removing the dependency of the database from the
- updating the database address
Before starting the Conjur instance, instead of hardcoding your database url and data key into the docker-compose file, you could also change the
CONJUR_DATA_KEY environment variables. Example:
export CONJUR_DATA_KEY="$(< data_key)"
export DATABASE_URL="$(< database_url)"
Just make sure you keep those values in a safe location. If you lose the data key you cannot get it back and your data is lost.
After all of this, you can enjoy the peace of mind that your data in Conjur will be safe in the event that the Docker containers are shut down.