Skip to content

docs: add steps for postgres server verification #12072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Feb 25, 2024
Merged

docs: add steps for postgres server verification #12072

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9dc7a9b
docs: add steps for postgres server verification
ericpaulsen Feb 9, 2024
d50b2cb
make: fmt
ericpaulsen Feb 9, 2024
c124115
refactor to guide
ericpaulsen Feb 25, 2024
64b58f3
Merge branch 'main' into pg-server-auth
ericpaulsen Feb 25, 2024
8d81edc
add manifest
ericpaulsen Feb 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
refactor to guide
  • Loading branch information
@ericpaulsen
ericpaulsen committed Feb 25, 2024
commit c12411502e6eb39f15103b6df803dbf8c27e34f4
77 changes: 77 additions & 0 deletions docs/guides/postgres-ssl.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# Configure Coder to connect to PostgreSQL using SSL

<div>
<a href="https://github.com/ericpaulsen" style="text-decoration: none; color: inherit;">
<span style="vertical-align:middle;">Eric Paulsen</span>
<img src="https://github.com/ericpaulsen.png" width="24px" height="24px" style="vertical-align:middle; margin: 0px;"/>
</a>
</div>
February 24, 2024

---

Your organization may require connecting to the database instance over SSL. To
supply Coder with the appropriate certificates, and have it connect over SSL,
follow the steps below:

## Client verification (server verifies the client)

1. Create the certificate as a secret in your Kubernetes cluster, if not already
present:

```shell
kubectl create secret tls postgres-certs -n coder --key="postgres.key" --cert="postgres.crt"
```

1. Define the secret volume and volumeMounts in the Helm chart:

```yaml
coder:
volumes:
- name: "pg-certs-mount"
secret:
secretName: "postgres-certs"
volumeMounts:
- name: "pg-certs-mount"
mountPath: "$HOME/.postgresql"
readOnly: true
```

1. Lastly, your PG connection URL will look like:

```shell
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=require&sslcert="$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key"
```

## Server verification (client verifies the server)

1. Download the CA certificate chain for your database instance, and create it
as a secret in your Kubernetes cluster, if not already present:

```shell
kubectl create secret tls postgres-certs -n coder --key="postgres-root.key" --cert="postgres-root.crt"
```

1. Define the secret volume and volumeMounts in the Helm chart:

```yaml
coder:
volumes:
- name: "pg-certs-mount"
secret:
secretName: "postgres-certs"
volumeMounts:
- name: "pg-certs-mount"
mountPath: "$HOME/.postgresql/postgres-root.crt"
readOnly: true
```

1. Lastly, your PG connection URL will look like:

```shell
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=verify-full&sslrootcert="/home/coder/.postgresql/postgres-root.crt"
```

> More information on connecting to PostgreSQL databases using certificates can
> be found
> [here](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT).