From 9dc7a9b0603f40ccf85eb27694cdd809adc0e37c Mon Sep 17 00:00:00 2001 From: Eric Date: Fri, 9 Feb 2024 02:47:25 +0000 Subject: [PATCH 1/4] docs: add steps for postgres server verification --- docs/install/kubernetes.md | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/docs/install/kubernetes.md b/docs/install/kubernetes.md index 4458ae17b7ab6..375205ec092a8 100644 --- a/docs/install/kubernetes.md +++ b/docs/install/kubernetes.md @@ -198,6 +198,8 @@ Your organization may require connecting to the database instance over SSL. To supply Coder with the appropriate certificates, and have it connect over SSL, follow the steps below: +### Client verification (server verifies the client) + 1. Create the certificate as a secret in your Kubernetes cluster, if not already present: @@ -222,7 +224,36 @@ coder: 1. Lastly, your PG connection URL will look like: ```shell -postgres://:@databasehost:/?sslmode=require&sslcert=$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key" +postgres://:@databasehost:/?sslmode=require&sslcert="$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key" +``` + +### Server verification (client verifies the server) + +1. Download the CA certificate chain for your database instance, and create it + as a secret in your Kubernetes cluster, if not already present: + +```shell +kubectl create secret tls postgres-certs -n coder --key="postgres-root.key" --cert="postgres-root.crt" +``` + +1. Define the secret volume and volumeMounts in the Helm chart: + +```yaml +coder: + volumes: + - name: "pg-certs-mount" + secret: + secretName: "postgres-certs" + volumeMounts: + - name: "pg-certs-mount" + mountPath: "$HOME/.postgresql/postgres-root.crt" + readOnly: true +``` + +1. Lastly, your PG connection URL will look like: + +```shell +postgres://:@databasehost:/?sslmode=verify-full&sslrootcert="/home/coder/.postgresql/postgres-root.crt" ``` > More information on connecting to PostgreSQL databases using certificates can From d50b2cb5badf6139965ee9ec775f9af0f9c34f28 Mon Sep 17 00:00:00 2001 From: Eric Date: Fri, 9 Feb 2024 02:56:38 +0000 Subject: [PATCH 2/4] make: fmt --- docs/install/kubernetes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install/kubernetes.md b/docs/install/kubernetes.md index 375205ec092a8..654b902aa983a 100644 --- a/docs/install/kubernetes.md +++ b/docs/install/kubernetes.md @@ -230,7 +230,7 @@ postgres://:@databasehost:/?sslmode=require&sslce ### Server verification (client verifies the server) 1. Download the CA certificate chain for your database instance, and create it - as a secret in your Kubernetes cluster, if not already present: + as a secret in your Kubernetes cluster, if not already present: ```shell kubectl create secret tls postgres-certs -n coder --key="postgres-root.key" --cert="postgres-root.crt" From c12411502e6eb39f15103b6df803dbf8c27e34f4 Mon Sep 17 00:00:00 2001 From: Eric Date: Sun, 25 Feb 2024 01:13:48 +0000 Subject: [PATCH 3/4] refactor to guide --- docs/guides/postgres-ssl.md | 77 +++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 docs/guides/postgres-ssl.md diff --git a/docs/guides/postgres-ssl.md b/docs/guides/postgres-ssl.md new file mode 100644 index 0000000000000..f1934b60e907d --- /dev/null +++ b/docs/guides/postgres-ssl.md @@ -0,0 +1,77 @@ +# Configure Coder to connect to PostgreSQL using SSL + + +February 24, 2024 + +--- + +Your organization may require connecting to the database instance over SSL. To +supply Coder with the appropriate certificates, and have it connect over SSL, +follow the steps below: + +## Client verification (server verifies the client) + +1. Create the certificate as a secret in your Kubernetes cluster, if not already + present: + +```shell +kubectl create secret tls postgres-certs -n coder --key="postgres.key" --cert="postgres.crt" +``` + +1. Define the secret volume and volumeMounts in the Helm chart: + +```yaml +coder: + volumes: + - name: "pg-certs-mount" + secret: + secretName: "postgres-certs" + volumeMounts: + - name: "pg-certs-mount" + mountPath: "$HOME/.postgresql" + readOnly: true +``` + +1. Lastly, your PG connection URL will look like: + +```shell +postgres://:@databasehost:/?sslmode=require&sslcert="$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key" +``` + +## Server verification (client verifies the server) + +1. Download the CA certificate chain for your database instance, and create it + as a secret in your Kubernetes cluster, if not already present: + +```shell +kubectl create secret tls postgres-certs -n coder --key="postgres-root.key" --cert="postgres-root.crt" +``` + +1. Define the secret volume and volumeMounts in the Helm chart: + +```yaml +coder: + volumes: + - name: "pg-certs-mount" + secret: + secretName: "postgres-certs" + volumeMounts: + - name: "pg-certs-mount" + mountPath: "$HOME/.postgresql/postgres-root.crt" + readOnly: true +``` + +1. Lastly, your PG connection URL will look like: + +```shell +postgres://:@databasehost:/?sslmode=verify-full&sslrootcert="/home/coder/.postgresql/postgres-root.crt" +``` + +> More information on connecting to PostgreSQL databases using certificates can +> be found +> [here](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT). From 8d81edc379d895da4edc09e5dc7d97d79a32fdf1 Mon Sep 17 00:00:00 2001 From: Eric Date: Sun, 25 Feb 2024 01:16:00 +0000 Subject: [PATCH 4/4] add manifest --- docs/manifest.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/manifest.json b/docs/manifest.json index 4bfaf6aadb64a..1b70f9147d950 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -1060,6 +1060,11 @@ "description": "Creating ImagePullSecrets for private registries", "path": "./guides/image-pull-secret.md" }, + { + "title": "Postgres SSL", + "description": "Configure Coder to connect to Postgres over SSL", + "path": "./guides/postgres-ssl.md" + }, { "title": "Azure Federation", "description": "Federating Coder to Azure",