Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Cloud Application Platform 1.5.2

15 External Database

By default, internal MariaDB instances serve as the backing databases for internal components of SUSE Cloud Application Platform. These components can be configured to use an external database system, such as a data service offered by a cloud service provider or an existing high availability database server.

The current SUSE Cloud Application Platform release is compatible with the following external databases:

  • Amazon RDS MariaDB

  • Azure MariaDB

15.1 Important Considerations

  • If you are using external UAA with an external database you must set up two separate database instances; one for UAA and one for SCF. One external database instance for both an external UAA and an SCF setup is not supported and will cause data conflicts resulting in deployment failures.

  • When the external database server is configured to use TLS, it must support both TLS and unencrypted connections; if the external database server only accepts TLS connections some SCF components will not be able to communicate with the database server.

  • Note that Amazon RDS uses a CA that is not currently recognized as a well-known CA within UAA. Therefore, you must use the flag env.UAADB_TLS to enabled_skip_all_validation to disable server certificate validation for TLS connections to RDS. If you are using credhub, you will need to pass in the RDS CA via the secrets.CREDHUB_DB_CA_CERT flag to ensure credhub is able to validate the RDS server cert.

15.2 Configuration

This section describes the components involved and their associated configuration options when connecting to an external database. The configuration options are specified through Helm values inside the scf-config-values.yaml. The deployment and configuration of the external database itself is the responsibility of the operator and beyond the scope of this documentation. It is assumed the external database has been deployed and accessible.

Important: Configuration during Initial Install Only

Configuration of SUSE Cloud Application Platform to use an external database must be done during the initial installation and cannot be changed afterwards.


The database-seeder runs during installation and created databases inside the service for the various clients (Cloud Controller, Diego, UAA, etc.). It uses these configuration variables:

  • env.DB_EXTERNAL_HOST: Hostname for an external database server to use for the CF-internal databases. If not set, the internal database is used and the remaining DB_EXTERNAL_* variables are ignored.

  • env.DB_EXTERNAL_USER_HOST_SUFFIX: A suffix that has to be appended to every user name for the external database; usually @host. Must include the @ sign. Empty by default.

  • env.DB_EXTERNAL_PORT: Port for an external database server to use for the CF-internal databases. Default: 3306.

  • env.DB_EXTERNAL_SSL_MODE: SSL configuration for the external database server. Valid values: false (database-seeder will communicate over plain TCP), skip-verify, preferred, and true. Default: true.

  • env.DB_EXTERNAL_USER: Administrator user name for an external database server; this is required to create the necessary databases. DB_EXTERNAL_USER_HOST_SUFFIX will be appended to this user name, so this variable should include just the user name without the host suffix.

  • secrets.DB_EXTERNAL_PASSWORD: Administrator password for an external database server; this is required to create the necessary databases.

The user and password are only used by the seeder to create the databases. All clients will then use database specific usernames and passwords.

  • secrets.CREDHUB_DB_CA_CERT: CA trusted for making TLS connections to targeted database server.

  • env.CREDHUB_DB_HOST_VALIDATION: Enables hostname verification for TLS connections to targeted database server. Default: true.

  • env.CREDHUB_DB_REQUIRE_TLS: Requires only TLS connections to targeted database server. Default: true.


env.UAADB_TLS: Use TLS connection for UAA database. Valid options are: enabled (use TLS with full certificate validation), enabled_skip_hostname_validation (use TLS but skip validation of common and alt names in the host certificate), enabled_skip_all_validation (use TLS but do not validate anything about the host certificate), and disabled (do not use TLS). Default: enabled.

After your configuration file has been updated, refer to the platform-specific instructions to deploy uaa and/or scf:

Print this page