PostgreSQL
EdgeX Foundry uses PostgreSQL as the persistence database by default.
PostgreSQL is an open-source object-relational database system (licensed under the PostgreSQL License) that offers exceptional scalability and performance, with support for both relational and document (JSON) data models.
Pre-Defined Users with Privileges
Each EdgeX service that connects to PostgreSQL uses different users depending on whether it's operating in secure or non-secure mode.
In non-secure mode, all services use the default postgres
user to access the PostgreSQL database.
In secure mode, each EdgeX service is assigned a unique username and password, with limited privileges. These users are restricted to accessing only the table schemas owned by their respective services.
For instance, the Core Data service owns the core_data
schema and is permitted to use the core_data
user to access the database. This core_data
user is granted privileges specific to the tables within the core_data
schema.
Using PostgreSQL Database
PostgreSQL database can be started and used as the persistence store in the Docker-based EdgeX deployment.
Please refer to Use PostgreSQL as the persistence layer in EdgeX for the instructions to run the EdgeX services along with PostgreSQL database.
(Optional) Configure add-on services to access PostgreSQL
This section introduces how to configure add-on services to access PostgreSQL database in secure mode.
For more information about add-on services, see Configuring Add-on Service.
Configure known secrets for add-on services
The EDGEX_ADD_KNOWN_SECRETS
environment variable on secretstore-setup
allows for known secrets
to be added to an add-on service's Secret Store
.
The known
secret for PostgreSQL is the PostgreSQL credentials
identified by
the name postgres
. Any add-on service needing access to the PostgreSQL
such as
App Service HTTP Export with Store and Forward enabled will need the PostgreSQL credentials
put in its Secret Store
.
Note that the steps needed for connecting add-on services to the Secure MessageBus
are:
- Utilizing the
security-bootstrapper
to ensure proper startup sequence - Creating the
Secret Store
for the add-on service - Adding the
postgres
known secret to the add-on service'sSecret Store
and if the add-on service is not connecting to the PostgreSQL database, then this step can be skipped.
So given an example for service myservice
to use the PostgreSQL database in secure mode,
we need to tell secretstore-setup
to add the postgres
known secret to Secret Store
for myservice
.
This can be done through the configuration of adding postgres[myservice]
into the environment variable
EDGEX_ADD_KNOWN_SECRETS
in secretstore-setup
service's environment section, in which postgres
is the name of
the known secret
and myservice
is the service key of the add-on service.
...
secretstore-setup:
container_name: edgex-secretstore-setup
depends_on:
- security-bootstrapper
- vault
environment:
EDGEX_ADD_SECRETSTORE_TOKENS: myservice
EDGEX_ADD_KNOWN_SECRETS: postgres[myservice],message-bus[myservice],message-bus[device-virtual]
...
In the above docker-compose
section of secretstore-setup
, we specify the known secret of
postgres
to add/copy the PostgreSQL database credentials to the Secret Store
for the myservice
service.
We can also use the alternative or simpler form of EDGEX_ADD_KNOWN_SECRETS
environment variable's value like
EDGEX_ADD_KNOWN_SECRETS: postgres[myservice],message-bus[myservice],message-bus[device-virtual]
in which all add-on services are put together in a comma separated list associated with the
known secret postgres
.