Charmed PostgreSQL K8s

Channel Revision Published Runs on
latest/stable 20 20 Sep 2022
Ubuntu 20.04
14/stable 463 Today
Ubuntu 22.04
14/stable 462 Today
Ubuntu 22.04
14/candidate 463 19 Nov 2024
Ubuntu 22.04
14/candidate 462 19 Nov 2024
Ubuntu 22.04
14/beta 471 10 Dec 2024
Ubuntu 22.04
14/beta 470 10 Dec 2024
Ubuntu 22.04
14/edge 471 29 Nov 2024
Ubuntu 22.04
14/edge 470 29 Nov 2024
Ubuntu 22.04
juju deploy postgresql-k8s --channel 14/stable
Show information

Platform:

Note: All commands are written for juju >= v.3.0

If you are using an earlier version, check the Juju 3.0 Release Notes.

How to enable TLS encryption

Disclaimer: In this guide, we use self-signed certificates provided by the self-signed-certificates operator.

This is not recommended for a production environment.

For production environments, check the collection of Charmhub operators that implement the tls-certificate interface, and choose the most suitable for your use-case.

Enable TLS

Deploy the TLS charm:

juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"

To enable TLS, integrate (formerly known as “relate”) the two applications:

juju integrate postgresql-k8s self-signed-certificates

Manage keys

Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. Note that passing keys to external/internal keys should only be done with base64 -w0, not cat.

With three replicas, this schema should be followed:

Generate a shared internal key:

openssl genrsa -out internal-key.pem 3072

Generate external keys for each unit:

openssl genrsa -out external-key-0.pem 3072
openssl genrsa -out external-key-1.pem 3072
openssl genrsa -out external-key-2.pem 3072

Apply both private keys to each unit. The shared internal key will be applied only to the juju leader.

juju run postgresql-k8s/0 set-tls-private-key "external-key=$(base64 -w0 external-key-0.pem)"  "internal-key=$(base64 -w0 internal-key.pem)" 
juju run postgresql-k8s/1 set-tls-private-key "external-key=$(base64 -w0 external-key-1.pem)"  "internal-key=$(base64 -w0 internal-key.pem)" 
juju run postgresql-k8s/2 set-tls-private-key "external-key=$(base64 -w0 external-key-2.pem)"  "internal-key=$(base64 -w0 internal-key.pem)" 

Updates can also be done with auto-generated keys with

juju run postgresql-k8s/0 set-tls-private-key
juju run postgresql-k8s/1 set-tls-private-key
juju run postgresql-k8s/2 set-tls-private-key

Disable TLS

You can disable TLS by removing the integration.

juju remove-relation self-signed-certificates postgresql-k8s

Help improve this document in the forum (guidelines). Last updated 6 months ago.