Charmed PostgreSQL K8s

  • By Canonical Data Platform
Channel Revision Published Runs on
latest/stable 20 20 Sep 2022
Ubuntu 20.04
14/stable 73 18 Apr 2023
Ubuntu 22.04
14/candidate 73 18 Apr 2023
14/beta 73 18 Apr 2023
14/edge 92 Yesterday
juju deploy postgresql-k8s --channel 14/stable
Show information

Platform:

How to enable encryption

Note: The TLS settings here are for self-signed-certificates which are not recommended for production clusters, the tls-certificates-operator charm offers a variety of configurations, read more on the TLS charm here

Enable TLS

# deploy the TLS charm
juju deploy tls-certificates-operator

# add the necessary configurations for TLS
juju config tls-certificates-operator generate-self-signed-certificates="true" ca-common-name="Test CA"

# to enable TLS relate the two applications
juju relate tls-certificates-operator postgresql-k8s

Manage keys

Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. Note passing keys to external/internal keys should only be done with base64 -w0 not cat. With three replicas this schema should be followed

  • Generate a shared internal key
openssl genrsa -out internal-key.pem 3072
  • generate external keys for each unit
openssl genrsa -out external-key-0.pem 3072
openssl genrsa -out external-key-1.pem 3072
openssl genrsa -out external-key-2.pem 3072
  • apply both private keys on each unit, shared internal key will be allied only on juju leader
juju run-action postgresql-k8s/0 set-tls-private-key "external-key=$(base64 -w0 external-key-0.pem)"  "internal-key=$(base64 -w0 internal-key.pem)"  --wait
juju run-action postgresql-k8s/1 set-tls-private-key "external-key=$(base64 -w0 external-key-1.pem)"  "internal-key=$(base64 -w0 internal-key.pem)"  --wait
juju run-action postgresql-k8s/2 set-tls-private-key "external-key=$(base64 -w0 external-key-2.pem)"  "internal-key=$(base64 -w0 internal-key.pem)"  --wait
  • updates can also be done with auto-generated keys with
juju run-action postgresql-k8s/0 set-tls-private-key --wait
juju run-action postgresql-k8s/1 set-tls-private-key --wait
juju run-action postgresql-k8s/2 set-tls-private-key --wait

Disable TLS remove the relation

juju remove-relation tls-certificates-operator postgresql-k8s

Help us improve this documentation

Most of this documentation can be collaboratively discussed and changed on the respective topic in the doc category of the Charmhub forum. See the documentation guidelines if you’d like to contribute.

Last updated a month ago. Help improve this document in the forum.