mirror of https://github.com/coder/coder.git
docs: add steps for postgres server verification (#12072)
* docs: add steps for postgres server verification * make: fmt * refactor to guide * add manifest
This commit is contained in:
parent
7e797e90ac
commit
fb198ac99c
|
@ -0,0 +1,77 @@
|
|||
# Configure Coder to connect to PostgreSQL using SSL
|
||||
|
||||
<div>
|
||||
<a href="https://github.com/ericpaulsen" style="text-decoration: none; color: inherit;">
|
||||
<span style="vertical-align:middle;">Eric Paulsen</span>
|
||||
<img src="https://github.com/ericpaulsen.png" width="24px" height="24px" style="vertical-align:middle; margin: 0px;"/>
|
||||
</a>
|
||||
</div>
|
||||
February 24, 2024
|
||||
|
||||
---
|
||||
|
||||
Your organization may require connecting to the database instance over SSL. To
|
||||
supply Coder with the appropriate certificates, and have it connect over SSL,
|
||||
follow the steps below:
|
||||
|
||||
## Client verification (server verifies the client)
|
||||
|
||||
1. Create the certificate as a secret in your Kubernetes cluster, if not already
|
||||
present:
|
||||
|
||||
```shell
|
||||
kubectl create secret tls postgres-certs -n coder --key="postgres.key" --cert="postgres.crt"
|
||||
```
|
||||
|
||||
1. Define the secret volume and volumeMounts in the Helm chart:
|
||||
|
||||
```yaml
|
||||
coder:
|
||||
volumes:
|
||||
- name: "pg-certs-mount"
|
||||
secret:
|
||||
secretName: "postgres-certs"
|
||||
volumeMounts:
|
||||
- name: "pg-certs-mount"
|
||||
mountPath: "$HOME/.postgresql"
|
||||
readOnly: true
|
||||
```
|
||||
|
||||
1. Lastly, your PG connection URL will look like:
|
||||
|
||||
```shell
|
||||
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=require&sslcert="$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key"
|
||||
```
|
||||
|
||||
## Server verification (client verifies the server)
|
||||
|
||||
1. Download the CA certificate chain for your database instance, and create it
|
||||
as a secret in your Kubernetes cluster, if not already present:
|
||||
|
||||
```shell
|
||||
kubectl create secret tls postgres-certs -n coder --key="postgres-root.key" --cert="postgres-root.crt"
|
||||
```
|
||||
|
||||
1. Define the secret volume and volumeMounts in the Helm chart:
|
||||
|
||||
```yaml
|
||||
coder:
|
||||
volumes:
|
||||
- name: "pg-certs-mount"
|
||||
secret:
|
||||
secretName: "postgres-certs"
|
||||
volumeMounts:
|
||||
- name: "pg-certs-mount"
|
||||
mountPath: "$HOME/.postgresql/postgres-root.crt"
|
||||
readOnly: true
|
||||
```
|
||||
|
||||
1. Lastly, your PG connection URL will look like:
|
||||
|
||||
```shell
|
||||
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=verify-full&sslrootcert="/home/coder/.postgresql/postgres-root.crt"
|
||||
```
|
||||
|
||||
> More information on connecting to PostgreSQL databases using certificates can
|
||||
> be found
|
||||
> [here](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT).
|
|
@ -198,6 +198,8 @@ Your organization may require connecting to the database instance over SSL. To
|
|||
supply Coder with the appropriate certificates, and have it connect over SSL,
|
||||
follow the steps below:
|
||||
|
||||
### Client verification (server verifies the client)
|
||||
|
||||
1. Create the certificate as a secret in your Kubernetes cluster, if not already
|
||||
present:
|
||||
|
||||
|
@ -222,7 +224,36 @@ coder:
|
|||
1. Lastly, your PG connection URL will look like:
|
||||
|
||||
```shell
|
||||
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=require&sslcert=$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key"
|
||||
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=require&sslcert="$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key"
|
||||
```
|
||||
|
||||
### Server verification (client verifies the server)
|
||||
|
||||
1. Download the CA certificate chain for your database instance, and create it
|
||||
as a secret in your Kubernetes cluster, if not already present:
|
||||
|
||||
```shell
|
||||
kubectl create secret tls postgres-certs -n coder --key="postgres-root.key" --cert="postgres-root.crt"
|
||||
```
|
||||
|
||||
1. Define the secret volume and volumeMounts in the Helm chart:
|
||||
|
||||
```yaml
|
||||
coder:
|
||||
volumes:
|
||||
- name: "pg-certs-mount"
|
||||
secret:
|
||||
secretName: "postgres-certs"
|
||||
volumeMounts:
|
||||
- name: "pg-certs-mount"
|
||||
mountPath: "$HOME/.postgresql/postgres-root.crt"
|
||||
readOnly: true
|
||||
```
|
||||
|
||||
1. Lastly, your PG connection URL will look like:
|
||||
|
||||
```shell
|
||||
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=verify-full&sslrootcert="/home/coder/.postgresql/postgres-root.crt"
|
||||
```
|
||||
|
||||
> More information on connecting to PostgreSQL databases using certificates can
|
||||
|
|
|
@ -1060,6 +1060,11 @@
|
|||
"description": "Creating ImagePullSecrets for private registries",
|
||||
"path": "./guides/image-pull-secret.md"
|
||||
},
|
||||
{
|
||||
"title": "Postgres SSL",
|
||||
"description": "Configure Coder to connect to Postgres over SSL",
|
||||
"path": "./guides/postgres-ssl.md"
|
||||
},
|
||||
{
|
||||
"title": "Azure Federation",
|
||||
"description": "Federating Coder to Azure",
|
||||
|
|
Loading…
Reference in New Issue