OpenSearch
- By Canonical Data Platform
- Databases
Channel | Revision | Published | Runs on |
---|---|---|---|
2/stable | 168 | 24 Sep 2024 | |
2/candidate | 168 | 24 Sep 2024 | |
2/beta | 168 | 24 Sep 2024 | |
2/edge | 172 | Yesterday |
juju deploy opensearch --channel 2/stable
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
How to enable TLS encryption
This guide will show how to enable TLS using the self-signed-certificates
operator as an example.
Self-signed certificates are not recommended for a production environment.
Check this guide for an overview of the signed and self-signed certificate charms available.
Summary
Enable TLS
First, deploy the TLS charm and configure the name of the Certificate Authority:
juju deploy self-signed-certificates --config ca-common-name="My CA"
To enable TLS on Charmed OpenSearch, integrate the two applications:
juju integrate self-signed-certificates opensearch
After the deployment has settled, you can see the relation by running juju status --relations
.
Disable TLS
TLS is a requirement for Charmed OpenSearch, therefore TLS should not be disabled.
Manage certificates
Check certificates in use
To check the certificates in use by OpenSearch, you can run:
openssl s_client -showcerts -connect `leader_unit_IP:port` < /dev/null | grep issuer
Update keys
Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key
action. Charmed OpenSearch uses three types of certificates:
app-admin
: used for administrative actions on opensearchunit-transport
: used for internal communication between opensearch nodesunit-http
: used for external communication between opensearch and clients (users or applications)
The private key for app-admin
can only be applied on the leader-unit.
Updates to each of these can be done with auto-generated keys:
juju run opensearch/leader set-tls-private-key category=app-admin
juju run opensearch/leader set-tls-private-key category=unit-transport
juju run opensearch/leader set-tls-private-key category=unit-http
It is also possible to use self-generated keys:
openssl genrsa -out unit-http.pem 3072
openssl genrsa -out unit-transport.pem 3072
openssl genrsa -out app-admin.pem 3072
Apply the private key for app-admin
to the juju leader:
juju run opensearch/leader set-tls-private-key category=app-admin key="$(base64 -w0 app-admin.pem)"
Apply the private keys for unit-transport
and unit-http
to all units (including the leader):
juju run opensearch/leader set-tls-private-key category=unit-http key="$(base64 -w0 unit-http.pem)"
juju run opensearch/leader set-tls-private-key category=unit-transport key="$(base64 -w0 unit-transport.pem)"