Postgres SSL
February 24, 2024
Your organization may require connecting to the database instance over SSL. To supply Coder with the appropriate certificates, and have it connect over SSL, follow the steps below:
Client verification (server verifies the client)
- Create the certificate as a secret in your Kubernetes cluster, if not already present:
kubectl create secret tls postgres-certs -n coder --key="postgres.key" --cert="postgres.crt"
- Define the secret volume and volumeMounts in the Helm chart:
coder:
volumes:
- name: "pg-certs-mount"
secret:
secretName: "postgres-certs"
volumeMounts:
- name: "pg-certs-mount"
mountPath: "$HOME/.postgresql"
readOnly: true
- Lastly, your PG connection URL will look like:
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=require&sslcert="$HOME/.postgresql/postgres.crt&sslkey=$HOME/.postgresql/postgres.key"
Server verification (client verifies the server)
- Download the CA certificate chain for your database instance, and create it as a secret in your Kubernetes cluster, if not already present:
kubectl create secret tls postgres-certs -n coder --key="postgres-root.key" --cert="postgres-root.crt"
- Define the secret volume and volumeMounts in the Helm chart:
coder:
volumes:
- name: "pg-certs-mount"
secret:
secretName: "postgres-certs"
volumeMounts:
- name: "pg-certs-mount"
mountPath: "$HOME/.postgresql/postgres-root.crt"
readOnly: true
- Lastly, your PG connection URL will look like:
postgres://<user>:<password>@databasehost:<port>/<db-name>?sslmode=verify-full&sslrootcert="/home/coder/.postgresql/postgres-root.crt"
More information on connecting to PostgreSQL databases using certificates can be found in the PostgreSQL documentation.