# Deploy PostgreSQL with Helm in TLS Mode

## Step 1: Install Prerequisites

Before starting, ensure you have the following installed:
- `kubectl` (Kubernetes CLI)
- `helm` (Helm CLI)
- A Kubernetes cluster (e.g., Minikube, GKE, EKS, or AKS)

In [1]:
# Verify kubectl and helm are installed
!kubectl version --client
!helm version

Client Version: v1.31.2
Kustomize Version: v5.4.2
version.BuildInfo{Version:"v3.17.0", GitCommit:"301108edc7ac2a8ba79e4ebf5701b0b6ce6a31e4", GitTreeState:"clean", GoVersion:"go1.23.4"}


## Step 2: Add the Bitnami Helm Repository

In [2]:
# Add the Bitnami Helm repository
!helm repo add bitnami https://charts.bitnami.com/bitnami
!helm repo update

"bitnami" already exists with the same configuration, skipping
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "bitnami" chart repository
Update Complete. ⎈Happy Helming!⎈


## Step 3: Generate TLS Certificates

In [9]:
# Create a directory for certificates
!mkdir -p postgres-tls-certs

# Generate a CA certificate
!openssl req -new -x509 -days 365 -nodes -out postgres-tls-certs/ca.crt -keyout postgres-tls-certs/ca.key -subj "/CN=PostgreSQL CA"

# Generate a server certificate
!openssl req -new -nodes -out postgres-tls-certs/server.csr -keyout postgres-tls-certs/server.key -subj "/CN=postgresql.default.svc.cluster.local"
!openssl x509 -req -in postgres-tls-certs/server.csr -days 365 -CA postgres-tls-certs/ca.crt -CAkey postgres-tls-certs/ca.key -CAcreateserial -out postgres-tls-certs/server.crt

# Generate a client certificate
!openssl req -new -nodes -out postgres-tls-certs/client.csr -keyout postgres-tls-certs/client.key -subj "/CN=admin"
!openssl x509 -req -in postgres-tls-certs/client.csr -days 365 -CA postgres-tls-certs/ca.crt -CAkey postgres-tls-certs/ca.key -CAcreateserial -out postgres-tls-certs/client.crt

.............+.+..+............+...+...................+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.........+....+.....+.+..+.......+..+...+.+.....+......+.+..+.+...........+.+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+...........+...+......................+........+......+....+..+.............+...+............+........+....+........+...+...+......+.+..............+.........+.+..............+....+..+.............+..+...+.+......+.....+...+.......+..................+..+....+.....+.+.....+.+...+.........+...+.....+....+.........+.....+.......+..+............+.........+.+......+...+............+..+............+....+..+...+.+...............+...+..+....+...........+..........+.....+....+..+...+....+........+...+.+......+........+.+......+..+...+....+...+..+.+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..............+.+...+..................+..+...+..........+............+...............+...

## Step 4: Create Kubernetes Secrets for Certificates

In [6]:
# Create a secret for the server certificates
!kubectl create secret generic postgresql-server-certs   --from-file=ca.crt=./postgres-tls-certs/ca.crt   --from-file=tls.crt=./postgres-tls-certs/server.crt   --from-file=tls.key=./postgres-tls-certs/server.key

# Create a secret for the client certificates
!kubectl create secret generic postgresql-client-certs   --from-file=ca.crt=./postgres-tls-certs/ca.crt   --from-file=tls.crt=./postgres-tls-certs/client.crt   --from-file=tls.key=./postgres-tls-certs/client.key

error: failed to create secret secrets "postgresql-server-certs" already exists
secret/postgresql-client-certs created


## Step 5: Deploy PostgreSQL with Helm

In [11]:
# Helm values for TLS configuration
helm_values = """
tls:
  enabled: true
  certificatesSecret: "postgresql-server-certs"
  certFilename: "tls.crt"
  certKeyFilename: "tls.key"
  certCAFilename: "ca.crt"

volumePermissions:
  enabled: true
"""

# Write the values to a file
with open("values.yaml", "w") as f:
    f.write(helm_values)

# Install PostgreSQL with Helm
!helm install postgresql bitnami/postgresql -f values.yaml

NAME: postgresql
LAST DEPLOYED: Thu Feb  6 12:36:33 2025
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
CHART NAME: postgresql
CHART VERSION: 16.4.6
APP VERSION: 17.2.0

Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information.

** Please be patient while the chart is being deployed **

PostgreSQL can be accessed via port 5432 on the following DNS names from within your cluster:

    postgresql.default.svc.cluster.local - Read/Write connection

To get the password for "postgres" run:

    export POSTGRES_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)

To connect to your database run the following command:

    kubectl run postgresql-client 

## Step 6: Verify the Deployment

In [12]:
# Check the status of the PostgreSQL pod
!kubectl get pods -l app.kubernetes.io/name=postgresql

# check if the ssl is on and setting the path to certificates.
!kubectl exec -it postgresql-0 -- cat /opt/bitnami/postgresql/conf/postgresql.conf | grep ssl

# Connect to PostgreSQL using TLS
!kubectl exec -it postgresql-0 -- env PGPASSWORD=password psql -U admin -d mydatabase -c '\l'

NAME           READY   STATUS    RESTARTS   AGE
postgresql-0   1/1     Running   0          12s
Defaulted container "postgresql" out of: postgresql, init-chmod-data (init)
ssl = 'on'
ssl_ca_file = '/opt/bitnami/postgresql/certs/ca.crt'
ssl_cert_file = '/opt/bitnami/postgresql/certs/tls.crt'
#ssl_crl_file = ''
#ssl_crl_dir = ''
ssl_key_file = '/opt/bitnami/postgresql/certs/tls.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'	# allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1.2'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
Defaulted container "postgresql" out of: postgresql, init-chmod-data (init)
                                                      List of databases
    Name    |  Owner   | Encoding | Locale Provider |   Collate   |    Ctype    
| Locale | ICU Rules |   Access privileges   
------------+----------+----------+----------

## Step 7: Port forwarding in the terminal for the connection testing using python

kubectl port-forward svc/postgresql 5432:5432

## Step 8: Check the connection using sql alchemy

In [5]:


# Define database connection parameters
DB_USER = "admin"
DB_PASSWORD = "password"
DB_HOST = "localhost"
DB_PORT = "5432"
DB_NAME = "mydatabase"

# TLS Certificate Paths
SSL_CERT = "postgres-tls-certs/client.crt"
SSL_KEY = "postgres-tls-certs/client.key"
SSL_ROOT_CERT = "postgres-tls-certs/ca.crt"

from sqlalchemy import create_engine
# Create SQLAlchemy connection string
DATABASE_URL = (
    f"postgresql+psycopg://{DB_USER}:{DB_PASSWORD}@{DB_HOST}:{DB_PORT}/{DB_NAME}?"
    f"sslmode=verify-ca&sslrootcert={SSL_ROOT_CERT}&sslcert={SSL_CERT}&sslkey={SSL_KEY}"
)

print(DATABASE_URL)

# Create SQLAlchemy engine
engine = create_engine(DATABASE_URL)

# Test connection
try:
    with engine.connect() as connection:
        print("Connected successfully!")
except Exception as e:
    print("Connection failed:", e)


postgresql+psycopg://admin:password@localhost:5432/mydatabase?sslmode=verify-ca&sslrootcert=postgres-tls-certs/ca.crt&sslcert=postgres-tls-certs/client.crt&sslkey=postgres-tls-certs/client.key
Connected successfully!


## Step 7: Clean Up

In [None]:
# Uninstall the Helm release
!helm uninstall postgresql

# Delete the secrets
!kubectl delete secret postgresql-server-certs
!kubectl delete secret postgresql-client-certs

# Remove the certificates directory
!rm -rf postgres-tls-certs

### Explanation of Key Concepts

1. **TLS in PostgreSQL**: TLS ensures secure communication between the PostgreSQL server and clients by encrypting the data.
2. **Helm**: Helm is a package manager for Kubernetes that simplifies the deployment of applications.
3. **Kubernetes Secrets**: Secrets are used to store sensitive information like certificates and keys securely.

### Notes

- Replace the `CN` values in the certificate generation step with your actual domain names.
- Ensure the Kubernetes cluster has sufficient resources to run PostgreSQL.
- For production environments, consider using a managed certificate service (e.g., Let's Encrypt) instead of self-signed certificates.