Charmed OpenSearch

Channel Revision Published Runs on
2/edge 66 26 Apr 2024
Ubuntu 22.04
juju deploy opensearch --channel 2/edge
Show information

Learn to deploy on juju >

Platform:

Ubuntu
22.04

Relevant links

Discuss this charm

Share your thoughts on this charm with the community on discourse.

Join the discussion

Transport Layer Security (TLS)

TLS is used to encrypt data exchanged between two applications; it secures data transmitted over the network. Typically, enabling TLS within a highly available database, and between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. Fortunately, the domain-specific knowledge has been encoded into Charmed OpenSearch. This means enabling TLS on Charmed Opensearch is easily available and requires minimal effort on your end.

TLS is mandatory for OpenSearch deployments because nodes in an OpenSearch cluster require TLS to communicate with each other securely. Therefore, the OpenSearch charm will be in a blocked state until TLS is configured. Since TLS certificates are already being prepared for internal communication between OpenSearch nodes, we make use of the same certificate for external communications with the REST API. Therefore, TLS must be configured before connecting to the charm.

TLS is enabled via relations, by relating Charmed OpenSearch to the TLS Certificates Charm. The TLS Certificates Charm centralises TLS certificate management in a consistent manner and handles providing, requesting, and renewing TLS certificates.

Configure TLS

Before enabling TLS on Charmed OpenSearch we must first deploy the tls-certificates-operator charm:

juju deploy tls-certificates-operator

Wait until the tls-certificates-operator is ready to be configured. When it is ready to be configured watch -c juju status --color will show:

Model     Controller       Cloud/Region         Version  SLA          Timestamp
tutorial  opensearch-demo  localhost/localhost  2.9.42   unsupported  15:16:43Z

App                        Version  Status   Scale  Charm                      Channel  Rev  Exposed  Message
opensearch                          blocked      1  opensearch                 edge      22  no       Waiting for TLS to be fully configured...
tls-certificates-operator           blocked      1  tls-certificates-operator  stable    22  no       Configuration options missing: ['certificate', 'ca-certificate']

Unit                          Workload  Agent  Machine  Public address  Ports  Message
opensearch/0*                 blocked   idle   0        10.180.162.97          Waiting for TLS to be fully configured...
tls-certificates-operator/0*  blocked   idle   1        10.180.162.44          Configuration options missing: ['certificate', 'ca-certificate']

Machine  State    Address        Inst id        Series  AZ  Message
0        started  10.180.162.97  juju-3305a8-0  jammy       Running
1        started  10.180.162.44  juju-3305a8-1  jammy       Running

Now we can configure the TLS certificates. Configure the tls-certificates-operator to use self signed certificates:

juju config tls-certificates-operator generate-self-signed-certificates="true" ca-common-name="Tutorial CA"

Note: this tutorial uses self-signed certificates; self-signed certificates should not be used in a production cluster. To set the correct certificates, see the TLS operator documentation.

Enable TLS

After configuring the certificates juju status will show the status of tls-certificates-operator as active. To enable TLS on Charmed OpenSearch, relate the two applications:

juju relate tls-certificates-operator opensearch

The OpenSearch service will start, and the output of juju status --relations should now resemble the following:

Model     Controller       Cloud/Region         Version  SLA          Timestamp
tutorial  opensearch-demo  localhost/localhost  2.9.42   unsupported  15:24:18Z

App                        Version  Status  Scale  Charm                      Channel  Rev  Exposed  Message
opensearch                          active      1  opensearch                 edge      22  no
tls-certificates-operator           active      1  tls-certificates-operator  stable    22  no

Unit                          Workload  Agent  Machine  Public address  Ports  Message
opensearch/0*                 active    idle   0        10.180.162.97
tls-certificates-operator/0*  active    idle   1        10.180.162.44

Machine  State    Address        Inst id        Series  AZ  Message
0        started  10.180.162.97  juju-3305a8-0  jammy       Running
1        started  10.180.162.44  juju-3305a8-1  jammy       Running

Relation provider                       Requirer                            Interface                 Type     Message
opensearch:opensearch-peers             opensearch:opensearch-peers         opensearch_peers          peer
opensearch:service                      opensearch:service                  rolling_op                peer
tls-certificates-operator:certificates  opensearch:certificates             tls-certificates          regular
tls-certificates-operator:replicas      tls-certificates-operator:replicas  tls-certificates-replica  peer

Next Steps

The next stage in this tutorial is about connecting to and using the OpenSearch charm, and can be found here.

Help improve this document in the forum (guidelines). Last updated 1 year, 22 days ago.