Charmed PostgreSQL K8s
|20 Sep 2022
|03 Jan 2024
|31 Jan 2024
|31 Jan 2024
|26 Feb 2024
juju deploy postgresql-k8s --channel 14/stable
Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.
Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. This has all been encoded into Charmed PostgreSQL K8s. This means (re-)configuring TLS on Charmed PostgreSQL K8s is readily available and requires minimal effort on your end.
Again, integrations come in handy here as TLS is enabled by relating Charmed PostgreSQL K8s to the TLS Certificates Charm. The TLS Certificates Charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.
In this section, you will learn how to enable security in your PostgreSQL deployment using TLS encryption.
This is part of the Charmed PostgreSQL K8s Tutorial.
Please refer to the Overview for more information.
Note: All commands are written for
juju >= v.3.0
If you are using an earlier version, be aware that:
juju run-action --waitin
For more information, check the Juju 3.0 Release Notes.
Before enabling TLS on Charmed PostgreSQL K8s, we must deploy the
juju deploy tls-certificates-operator --config generate-self-signed-certificates="true" --config ca-common-name="Tutorial CA"
Wait until the
tls-certificates-operator is up and active, use
juju status --watch 1s to monitor the progress:
Model Controller Cloud/Region Version SLA Timestamp
tutorial charm-dev microk8s/localhost 2.9.42 unsupported 12:18:05+01:00
App Version Status Scale Charm Channel Rev Address Exposed Message
postgresql-k8s active 2 postgresql-k8s 14/stable 56 10.152.183.167 no
tls-certificates-operator waiting 1 tls-certificates-operator stable 22 10.152.183.138 no installing agent
Unit Workload Agent Address Ports Message
postgresql-k8s/0* active idle 10.1.188.206 Primary
postgresql-k8s/1 active idle 10.1.188.209
tls-certificates-operator/0* active idle 10.1.188.212
This tutorial uses self-signed certificates. Self-signed certificates should not be used in a production cluster.
To enable TLS on Charmed PostgreSQL K8s, integrate the two applications:
juju integrate postgresql-k8s tls-certificates-operator
openssl to connect to the PostgreSQL and check the TLS certificate in use:
> openssl s_client -starttls postgres -connect 10.1.188.206:5432 | grep Issuer
depth=1 C = US, CN = Tutorial CA
verify error:num=19:self-signed certificate in certificate chain
Congratulations! PostgreSQL is now using TLS certificate generated by the external application
To remove the external TLS, remove the integration:
juju remove-relation postgresql-k8s tls-certificates-operator
> openssl s_client -starttls postgres -connect 10.1.188.206:5432
no peer certificate available
No client certificate CA names sent
The Charmed PostgreSQL K8s application is not using TLS anymore.