Skip to content

Commit c124115

Browse files
ericpaulsenericpaulsen
committed
refactor to guide
1 parent d50b2cb commit c124115

File tree

1 file changed

+77
-0
lines changed

1 file changed

+77
-0
lines changed

docs/guides/postgres-ssl.md

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
# Configure Coder to connect to PostgreSQL using SSL
2+
3+
<div>
4+
<a href="https://github.com/ericpaulsen" style="text-decoration: none; color: inherit;">
5+
<span style="vertical-align:middle;">Eric Paulsen</span>
6+
<img src="https://github.com/ericpaulsen.png" width="24px" height="24px" style="vertical-align:middle; margin: 0px;"/>
7+
</a>
8+
</div>
9+
February 24, 2024
10+
11+
---
12+
13+
Your organization may require connecting to the database instance over SSL. To
14+
supply Coder with the appropriate certificates, and have it connect over SSL,
15+
follow the steps below:
16+
17+
## Client verification (server verifies the client)
18+
19+
1. Create the certificate as a secret in your Kubernetes cluster, if not already
20+
present:
21+
22+
```shell
23+
kubectl create secret tls postgres-certs -n coder --key="postgres.key" --cert="postgres.crt"
24+
```
25+
26+
1. Define the secret volume and volumeMounts in the Helm chart:
27+
28+
```yaml
29+
coder:
30+
volumes:
31+
- name: "pg-certs-mount"
32+
secret:
33+
secretName: "postgres-certs"
34+
volumeMounts:
35+
- name: "pg-certs-mount"
36+
mountPath: "$HOME/.postgresql"
37+
readOnly: true
38+
```
39+
40+
1. Lastly, your PG connection URL will look like:
41+
42+
```shell
43+
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=require&sslcert="$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key"
44+
```
45+
46+
## Server verification (client verifies the server)
47+
48+
1. Download the CA certificate chain for your database instance, and create it
49+
as a secret in your Kubernetes cluster, if not already present:
50+
51+
```shell
52+
kubectl create secret tls postgres-certs -n coder --key="postgres-root.key" --cert="postgres-root.crt"
53+
```
54+
55+
1. Define the secret volume and volumeMounts in the Helm chart:
56+
57+
```yaml
58+
coder:
59+
volumes:
60+
- name: "pg-certs-mount"
61+
secret:
62+
secretName: "postgres-certs"
63+
volumeMounts:
64+
- name: "pg-certs-mount"
65+
mountPath: "$HOME/.postgresql/postgres-root.crt"
66+
readOnly: true
67+
```
68+
69+
1. Lastly, your PG connection URL will look like:
70+
71+
```shell
72+
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=verify-full&sslrootcert="/home/coder/.postgresql/postgres-root.crt"
73+
```
74+
75+
> More information on connecting to PostgreSQL databases using certificates can
76+
> be found
77+
> [here](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT).

0 commit comments

Comments
 (0)