# Deploy PostgreSQL with Helm in TLS Mode

### <font color="red"> NOTE: This PostgreSQL setup guide is intended to demonstrate the capabilities of the Feast operator in configuring Feast with PostgreSQL in TLS mode. For ongoing assistance with Postgres setup, we recommend consulting the official Helm PostgreSQL documentation.</font>

## Step 1: Install Prerequisites

Before starting, ensure you have the following installed:
- `kubectl` (Kubernetes CLI)
- `helm` (Helm CLI)
- A Kubernetes cluster (e.g., Minikube, GKE, EKS, or AKS)

**Note:** When deploying PostgreSQL and Feast on a Kubernetes cluster, it's important to ensure that your cluster has sufficient resources to support both applications.

In [1]:
# Verify kubectl and helm are installed
!kubectl version --client
!helm version

Client Version: v1.31.2
Kustomize Version: v5.4.2
version.BuildInfo{Version:"v3.17.0", GitCommit:"301108edc7ac2a8ba79e4ebf5701b0b6ce6a31e4", GitTreeState:"clean", GoVersion:"go1.23.4"}


## Step 2: Add the Bitnami Helm Repository

In [2]:
# Add the Bitnami Helm repository
!helm repo add bitnami https://charts.bitnami.com/bitnami
!helm repo update

"bitnami" already exists with the same configuration, skipping
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "bitnami" chart repository
Update Complete. ⎈Happy Helming!⎈


## Step 3: create kubernetes feast namespace

In [9]:
!kubectl create ns feast
!kubectl config set-context --current --namespace feast

namespace/feast created
Context "kind-kind" modified.


## Step 4: Generate Self Signed TLS Certificates

**Note**: 
- Self signed certificates are used only for demo purpose, consider using a managed certificate service (e.g., Let's Encrypt) instead of self-signed certificates.
- "Replace the `CN` values in the certificate generation step with your actual domain names.",

Delete the directory of existing certificates if you running this demo not first time.

In [10]:
# Delete certificates directory if you are running this example not first time.
!rm -rf postgres-tls-certs

Generate the certificates by executing below scripts. 

In [11]:
# Create a directory for certificates
!mkdir -p postgres-tls-certs

# Generate a CA certificate
!openssl req -new -x509 -days 365 -nodes -out postgres-tls-certs/ca.crt -keyout postgres-tls-certs/ca.key -subj "/CN=PostgreSQL CA"

# Generate a server certificate
!openssl req -new -nodes -out postgres-tls-certs/server.csr -keyout postgres-tls-certs/server.key -subj "/CN=postgresql.feast.svc.cluster.local"
!openssl x509 -req -in postgres-tls-certs/server.csr -days 365 -CA postgres-tls-certs/ca.crt -CAkey postgres-tls-certs/ca.key -CAcreateserial -out postgres-tls-certs/server.crt

# Generate a client certificate
!openssl req -new -nodes -out postgres-tls-certs/client.csr -keyout postgres-tls-certs/client.key -subj "/CN=admin"
!openssl x509 -req -in postgres-tls-certs/client.csr -days 365 -CA postgres-tls-certs/ca.crt -CAkey postgres-tls-certs/ca.key -CAcreateserial -out postgres-tls-certs/client.crt

..+.......+.........+...+.....+......+.......+...+.....+......+.+..+......+.+.....+...+.......+...+..+.+.....+.......+........+.......+......+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+...+........+....+..+...+...+....+...+......+..+..........+..+...+...+...............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...........+......+..........+..+.+.....+....+......+.....................+...+...+..+...+.......+..+.........+.......+.....+....+........+.+..+.............+......+....................+.........+.+......+.....+.......+........+......................+......+..+...+....+...+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+...+......+.+.........+...+......+..+.......+.....+.+..+...+.+...+......+.....+.........+......+.+...........+....+..................+...+.........+...+.....+.+.....+...............+.+......+...+............+...+......+......+........+.+.....+.............+..+.+..+.+.......

## Step 5: Create Kubernetes Secrets for Certificates

In this step, we will create **two Kubernetes secrets** that reference the certificates generated earlier step:

- **`postgresql-server-certs`**  
  This secret contains the server certificates and will be used by the PostgreSQL server.

- **`postgresql-client-certs`**  
  This secret contains the client certificates and will be used by the PostgreSQL client. In our case it will be feast application.

In [12]:
# Create a secret for the server certificates
!kubectl create secret generic postgresql-server-certs   --from-file=ca.crt=./postgres-tls-certs/ca.crt   --from-file=tls.crt=./postgres-tls-certs/server.crt   --from-file=tls.key=./postgres-tls-certs/server.key

# Create a secret for the client certificates
!kubectl create secret generic postgresql-client-certs   --from-file=ca.crt=./postgres-tls-certs/ca.crt   --from-file=tls.crt=./postgres-tls-certs/client.crt   --from-file=tls.key=./postgres-tls-certs/client.key

secret/postgresql-server-certs created
secret/postgresql-client-certs created


## Step 6: Deploy PostgreSQL with Helm

In [3]:
# Helm values for TLS configuration
helm_values = """
tls:
  enabled: true
  certificatesSecret: "postgresql-server-certs"
  certFilename: "tls.crt"
  certKeyFilename: "tls.key"
  certCAFilename: "ca.crt"

volumePermissions:
  enabled: true

# Set fixed PostgreSQL credentials

global:
  postgresql:
    auth:
      username: admin
      password: password
      database: feast
"""

# Write the values to a file
with open("values.yaml", "w") as f:
    f.write(helm_values)

# Install PostgreSQL with Helm
!helm install postgresql bitnami/postgresql --version 16.4.9 -f values.yaml -n feast 

NAME: postgresql
LAST DEPLOYED: Tue Feb 25 08:12:21 2025
NAMESPACE: feast
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
CHART NAME: postgresql
CHART VERSION: 16.4.9
APP VERSION: 17.3.0

Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information.

** Please be patient while the chart is being deployed **

PostgreSQL can be accessed via port 5432 on the following DNS names from within your cluster:

    postgresql.feast.svc.cluster.local - Read/Write connection

To get the password for "postgres" run:

    export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace feast postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)

To get the password for "admin" run:

    export POSTGRES_PASSWORD=$(kubectl get secret --

## Step 7: Verify the postgres Deployment

In [15]:
# Wait for the status of the PostgreSQL pod to be in Ready status.
!kubectl wait --for=condition=Ready pod -l app.kubernetes.io/name=postgresql --timeout=60s

# Insert an empty line in the output for verbocity.
print()

# display the pod status.
!kubectl get pods -l app.kubernetes.io/name=postgresql

# Insert an empty line in the output for verbocity.
print()

# check if the ssl is on and the path to certificates is configured.
!kubectl exec postgresql-0 -- cat /opt/bitnami/postgresql/conf/postgresql.conf | grep ssl

# Insert an empty line in the output for verbocity.
print()

# Connect to PostgreSQL using TLS (non-interactive mode)
!kubectl exec postgresql-0 -- env PGPASSWORD=password psql -U admin -d feast -c '\l'


pod/postgresql-0 condition met

NAME           READY   STATUS    RESTARTS   AGE
postgresql-0   1/1     Running   0          14s

Defaulted container "postgresql" out of: postgresql, init-chmod-data (init)
ssl = 'on'
ssl_ca_file = '/opt/bitnami/postgresql/certs/ca.crt'
ssl_cert_file = '/opt/bitnami/postgresql/certs/tls.crt'
#ssl_crl_file = ''
#ssl_crl_dir = ''
ssl_key_file = '/opt/bitnami/postgresql/certs/tls.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'	# allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1.2'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off

Defaulted container "postgresql" out of: postgresql, init-chmod-data (init)
                                                     List of databases
   Name    |  Owner   | Encoding | Locale Provider |   Collate   |    Ctype    | Locale | ICU Rules |   Access privileges   
-----------+--

## Step 8: Port forwarding in the terminal for the connection testing using python

**Note:** If you do not intend to test the PostgreSQL connection from outside the Kubernetes cluster, you can skip the remaining steps.

**Note:**
To test a connection to a PostgreSQL database outside of your Kubernetes cluster, you'll need to execute the following command in your system's terminal window. This is necessary because Jupyter Notebook does not support running commands in a separate thread.

kubectl port-forward svc/postgresql 5432:5432

## Step 9: Check the connection using Python sql alchemy

In [8]:
# Define database connection parameters
DB_USER = "admin"
DB_PASSWORD = "password"
DB_HOST = "localhost"
DB_PORT = "5432"
DB_NAME = "feast"

# TLS Certificate Paths
SSL_CERT = "postgres-tls-certs/client.crt"
SSL_KEY = "postgres-tls-certs/client.key"
SSL_ROOT_CERT = "postgres-tls-certs/ca.crt"

import os
os.environ["FEAST_CA_CERT_FILE_PATH"] = "postgres-tls-certs/ca.crt"

from sqlalchemy import create_engine
# Create SQLAlchemy connection string
DATABASE_URL = (
    f"postgresql+psycopg://{DB_USER}:{DB_PASSWORD}@{DB_HOST}:{DB_PORT}/{DB_NAME}?"
    f"sslmode=verify-ca&sslrootcert={SSL_ROOT_CERT}&sslcert={SSL_CERT}&sslkey={SSL_KEY}"
)

print(DATABASE_URL)

# Create SQLAlchemy engine
engine = create_engine(DATABASE_URL)

# Test connection
try:
    with engine.connect() as connection:
        print("Connected successfully!")
except Exception as e:
    print("Connection failed: Make sure that port forwarding step is done in the terminal.", e)


postgresql+psycopg://admin:password@localhost:5432/feast?sslmode=verify-ca&sslrootcert=postgres-tls-certs/ca.crt&sslcert=postgres-tls-certs/client.crt&sslkey=postgres-tls-certs/client.key
Connected successfully!
