Charmed PostgreSQL K8s
- By Canonical Data Platform
- Databases
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/stable | 20 | 20 Sep 2022 | |
| 14/stable | 193 | 13 Mar 2024 | |
| 14/candidate | 193 | 31 Jan 2024 | |
| 14/beta | 211 | 13 Mar 2024 | |
| 14/edge | 237 | 16 Apr 2024 |
juju deploy postgresql-k8s --channel 14/stable
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
Charmed PostgreSQL K8s Tutorial > 6. Enable security
Enable security with TLS
Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.
Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. This has all been encoded into Charmed PostgreSQL K8s. This means (re-)configuring TLS on Charmed PostgreSQL K8s is readily available and requires minimal effort on your end.
Again, integrations come in handy here as TLS is enabled by relating Charmed PostgreSQL K8s to the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.
In this part of the tutorial, you will learn how to enable security in your PostgreSQL deployment using TLS encryption.
Self-signed certificates are not recommended for a production environment.
Check this guide for an overview of the TLS certificates charms available.
Configure TLS
Before enabling TLS on Charmed PostgreSQL K8s, we must deploy the self-signed-certificates charm:
juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"
Wait until the self-signed-certificates is up and active by using juju status --watch 1s to monitor the deployment status
Model Controller Cloud/Region Version SLA Timestamp
tutorial charm-dev microk8s/localhost 3.1.7 unsupported 12:18:05+01:00
App Version Status Scale Charm Channel Rev Address Exposed Message
postgresql-k8s active 2 postgresql-k8s 14/stable 56 10.152.183.167 no
self-signed-certificates active 1 self-signed-certificates stable 72 10.152.183.138 no
Unit Workload Agent Address Ports Message
postgresql-k8s/0* active idle 10.1.188.206 Primary
postgresql-k8s/1 active idle 10.1.188.209
self-signed-certificates/0* active idle 10.1.188.212
Add external TLS certificate
To enable TLS on Charmed PostgreSQL K8s, integrate the two applications:
juju integrate postgresql-k8s self-signed-certificates
Check the TLS certificate in use:
Use openssl to connect to the PostgreSQL and check the TLS certificate in use:
> openssl s_client -starttls postgres -connect 10.1.188.206:5432 | grep Issuer
...
depth=1 C = US, CN = Tutorial CA
verify error:num=19:self-signed certificate in certificate chain
...
Congratulations! PostgreSQL is now using TLS certificate generated by the external application tls-certificates-operator.
Remove external TLS certificate
To remove the external TLS, remove the integration:
juju remove-relation postgresql-k8s self-signed-certificates
Check the TLS certificate in use:
> openssl s_client -starttls postgres -connect 10.1.188.206:5432
...
no peer certificate available
---
No client certificate CA names sent
...
The Charmed PostgreSQL K8s application is not using TLS anymore.