docs: add steps for postgres server verification

ericpaulsen · ericpaulsen · commit 9dc7a9b0603f · 2024-02-09T02:47:25.000Z
diff --git a/docs/install/kubernetes.md b/docs/install/kubernetes.md
@@ -198,6 +198,8 @@ Your organization may require connecting to the database instance over SSL. To
 supply Coder with the appropriate certificates, and have it connect over SSL,
 follow the steps below:
 
+### Client verification (server verifies the client)
+
 1. Create the certificate as a secret in your Kubernetes cluster, if not already
    present:
 
@@ -222,7 +224,36 @@ coder:
 1. Lastly, your PG connection URL will look like:
 
 ```shell
-postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=require&sslcert=$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key"
+postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=require&sslcert="$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key"
+```
+
+### Server verification (client verifies the server)
+
+1. Download the CA certificate chain for your database instance, and create it
+  as a secret in your Kubernetes cluster, if not already present:
+
+```shell
+kubectl create secret tls postgres-certs -n coder --key="postgres-root.key" --cert="postgres-root.crt"
+```
+
+1. Define the secret volume and volumeMounts in the Helm chart:
+
+```yaml
+coder:
+  volumes:
+    - name: "pg-certs-mount"
+      secret:
+        secretName: "postgres-certs"
+  volumeMounts:
+    - name: "pg-certs-mount"
+      mountPath: "$HOME/.postgresql/postgres-root.crt"
+      readOnly: true
+```
+
+1. Lastly, your PG connection URL will look like:
+
+```shell
+postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=verify-full&sslrootcert="/home/coder/.postgresql/postgres-root.crt"
 ```
 
 > More information on connecting to PostgreSQL databases using certificates can
