Skip to content

Commit fb198ac

Browse files
ericpaulsenericpaulsen
authored
docs: add steps for postgres server verification (#12072)
* docs: add steps for postgres server verification * make: fmt * refactor to guide * add manifest
1 parent 7e797e9 commit fb198ac

File tree

3 files changed

+114
-1
lines changed

3 files changed

+114
-1
lines changed

docs/guides/postgres-ssl.md

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
# Configure Coder to connect to PostgreSQL using SSL
2+
3+
<div>
4+
<a href="https://github.com/ericpaulsen" style="text-decoration: none; color: inherit;">
5+
<span style="vertical-align:middle;">Eric Paulsen</span>
6+
<img src="https://github.com/ericpaulsen.png" width="24px" height="24px" style="vertical-align:middle; margin: 0px;"/>
7+
</a>
8+
</div>
9+
February 24, 2024
10+
11+
---
12+
13+
Your organization may require connecting to the database instance over SSL. To
14+
supply Coder with the appropriate certificates, and have it connect over SSL,
15+
follow the steps below:
16+
17+
## Client verification (server verifies the client)
18+
19+
1. Create the certificate as a secret in your Kubernetes cluster, if not already
20+
present:
21+
22+
```shell
23+
kubectl create secret tls postgres-certs -n coder --key="postgres.key" --cert="postgres.crt"
24+
```
25+
26+
1. Define the secret volume and volumeMounts in the Helm chart:
27+
28+
```yaml
29+
coder:
30+
volumes:
31+
- name: "pg-certs-mount"
32+
secret:
33+
secretName: "postgres-certs"
34+
volumeMounts:
35+
- name: "pg-certs-mount"
36+
mountPath: "$HOME/.postgresql"
37+
readOnly: true
38+
```
39+
40+
1. Lastly, your PG connection URL will look like:
41+
42+
```shell
43+
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=require&sslcert="$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key"
44+
```
45+
46+
## Server verification (client verifies the server)
47+
48+
1. Download the CA certificate chain for your database instance, and create it
49+
as a secret in your Kubernetes cluster, if not already present:
50+
51+
```shell
52+
kubectl create secret tls postgres-certs -n coder --key="postgres-root.key" --cert="postgres-root.crt"
53+
```
54+
55+
1. Define the secret volume and volumeMounts in the Helm chart:
56+
57+
```yaml
58+
coder:
59+
volumes:
60+
- name: "pg-certs-mount"
61+
secret:
62+
secretName: "postgres-certs"
63+
volumeMounts:
64+
- name: "pg-certs-mount"
65+
mountPath: "$HOME/.postgresql/postgres-root.crt"
66+
readOnly: true
67+
```
68+
69+
1. Lastly, your PG connection URL will look like:
70+
71+
```shell
72+
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=verify-full&sslrootcert="/home/coder/.postgresql/postgres-root.crt"
73+
```
74+
75+
> More information on connecting to PostgreSQL databases using certificates can
76+
> be found
77+
> [here](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT).

docs/install/kubernetes.md

Lines changed: 32 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -198,6 +198,8 @@ Your organization may require connecting to the database instance over SSL. To
198198
supply Coder with the appropriate certificates, and have it connect over SSL,
199199
follow the steps below:
200200

201+
### Client verification (server verifies the client)
202+
201203
1. Create the certificate as a secret in your Kubernetes cluster, if not already
202204
present:
203205

@@ -222,7 +224,36 @@ coder:
222224
1. Lastly, your PG connection URL will look like:
223225

224226
```shell
225-
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=require&sslcert=$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key"
227+
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=require&sslcert="$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key"
228+
```
229+
230+
### Server verification (client verifies the server)
231+
232+
1. Download the CA certificate chain for your database instance, and create it
233+
as a secret in your Kubernetes cluster, if not already present:
234+
235+
```shell
236+
kubectl create secret tls postgres-certs -n coder --key="postgres-root.key" --cert="postgres-root.crt"
237+
```
238+
239+
1. Define the secret volume and volumeMounts in the Helm chart:
240+
241+
```yaml
242+
coder:
243+
volumes:
244+
- name: "pg-certs-mount"
245+
secret:
246+
secretName: "postgres-certs"
247+
volumeMounts:
248+
- name: "pg-certs-mount"
249+
mountPath: "$HOME/.postgresql/postgres-root.crt"
250+
readOnly: true
251+
```
252+
253+
1. Lastly, your PG connection URL will look like:
254+
255+
```shell
256+
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=verify-full&sslrootcert="/home/coder/.postgresql/postgres-root.crt"
226257
```
227258

228259
> More information on connecting to PostgreSQL databases using certificates can

docs/manifest.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1060,6 +1060,11 @@
10601060
"description": "Creating ImagePullSecrets for private registries",
10611061
"path": "./guides/image-pull-secret.md"
10621062
},
1063+
{
1064+
"title": "Postgres SSL",
1065+
"description": "Configure Coder to connect to Postgres over SSL",
1066+
"path": "./guides/postgres-ssl.md"
1067+
},
10631068
{
10641069
"title": "Azure Federation",
10651070
"description": "Federating Coder to Azure",

0 commit comments

Comments
 (0)