Guide: Authenticating to a PostgreSQL database on k8s/OpenShift using a Credential Store

[bstansberry]

(Note: this is one of several guides possible related to integration with an external datasource. Be sure to familiarize yourself with the overall set to be sure what you do will fit nicely with the others.)

Prerequisites:

Integrating with a PostgreSQL database on k8s/Openshift #579
Something from 'Use case driven guides for credential-stores' #509

Content:

This would use an example app that uses a datasource. Perhaps kitchensink QS.

The idea here is to move beyond the Integrating with a PostgreSQL database on k8s/Openshift #579 guide by replacing the approach used for configuration of the DS username/password. The #577 guide demonstrates establishing a configuration that uses a simple expression backed by an env var. The #579 guide evolves this by using a secret to control the env var value. Here we evolve things to use a credential store instead.

Ideally the basics of how to get the necessary Elytron resources available in an OS environment are covered in some other guide that becomes a prerequisite, or perhaps we reuse shared content. This one becomes about the simple DS configuration aspect.

Things to cover

Replacing the simple expression configuration with a credential store expression.
Replacing the simple expression configuration with a credential reference.

Note: as part of this work we should decide if the credential store expression approach is what we recommend. It seems easier as we can leave the simple expression as is, and take advantage of the fact that if WildFly resolves an expression to another expression, it will then try and resolve that.

So:
standalone.xml uses an expression that looks to an env var
user generates a credential store expression
deployment sets the env var to the credential store expression

The 'use a credential reference' approach involves more advanced topics like using the CLI to update the config as part of the image build.