Charmed PostgreSQL VM
- Canonical
- Databases
Channel | Revision | Published | Runs on |
---|---|---|---|
latest/stable | 345 | 09 Nov 2023 | |
latest/stable | 239 | 09 Feb 2022 | |
latest/stable | 226 | 01 Apr 2021 | |
14/stable | 468 | 11 Sep 2024 | |
14/stable | 467 | 11 Sep 2024 | |
14/candidate | 468 | 02 Sep 2024 | |
14/candidate | 467 | 02 Sep 2024 | |
14/beta | 516 | Yesterday | |
14/beta | 515 | Yesterday | |
14/edge | 518 | Yesterday | |
14/edge | 517 | Yesterday |
juju deploy postgresql --channel 14/stable
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
Note: All commands are written for juju >= v.3.1
If you’re using juju 2.9
, check the juju 3.0
Release Notes.
How to enable TLS encryption
This guide will show how to enable TLS using the self-signed-certificates
operator as an example.
Self-signed certificates are not recommended for a production environment.
Check this guide for an overview of the TLS certificate charms available.
Summary
- Enable TLS
- Disable TLS
- Manage certificates
- Check certificates in use
- Update keys
Enable TLS
First, deploy the TLS charm:
juju deploy self-signed-certificates
To enable TLS on postgresql
, integrate the two applications:
juju integrate self-signed-certificates postgresql
Disable TLS
You can disable TLS by removing the integration.
juju remove-relation self-signed-certificates postgresql
Manage certificates
Check certificates in use
To check the certificates in use by PostgreSQL, you can run:
openssl s_client -starttls postgres -connect <leader_unit_IP>:<port> | grep issuer
Update keys
Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key
action. Note that passing keys to external/internal keys should only be done with base64 -w0
, not cat
.
With three replicas, this schema should be followed:
Generate a shared internal key:
openssl genrsa -out internal-key.pem 3072
Generate external keys for each unit:
openssl genrsa -out external-key-0.pem 3072
openssl genrsa -out external-key-1.pem 3072
openssl genrsa -out external-key-2.pem 3072
Apply both private keys to each unit. The shared internal key will be applied only to the juju leader.
juju run postgresql/0 set-tls-private-key "external-key=$(base64 -w0 external-key-0.pem)" "internal-key=$(base64 -w0 internal-key.pem)" --wait
juju run postgresql/1 set-tls-private-key "external-key=$(base64 -w0 external-key-1.pem)" "internal-key=$(base64 -w0 internal-key.pem)" --wait
juju run postgresql/2 set-tls-private-key "external-key=$(base64 -w0 external-key-2.pem)" "internal-key=$(base64 -w0 internal-key.pem)" --wait
Updates can also be done with auto-generated keys:
juju run postgresql/0 set-tls-private-key
juju run postgresql/1 set-tls-private-key
juju run postgresql/2 set-tls-private-key