Charmed PostgreSQL VM

Channel Revision Published Runs on
latest/stable 345 09 Nov 2023
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/stable 239 09 Feb 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/stable 226 01 Apr 2021
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
14/stable 468 11 Sep 2024
Ubuntu 22.04
14/stable 467 11 Sep 2024
Ubuntu 22.04
14/candidate 468 02 Sep 2024
Ubuntu 22.04
14/candidate 467 02 Sep 2024
Ubuntu 22.04
14/beta 502 23 Oct 2024
Ubuntu 22.04
14/beta 503 23 Oct 2024
Ubuntu 22.04
14/edge 516 Yesterday
Ubuntu 22.04
14/edge 515 Yesterday
Ubuntu 22.04
juju deploy postgresql --channel 14/stable
Show information

Platform:

Ubuntu
22.04 20.04 18.04 16.04 14.04

Note: All commands are written for juju >= v.3.1

If you’re using juju 2.9, check the juju 3.0 Release Notes.

How to enable TLS encryption

This guide will show how to enable TLS using the self-signed-certificates operator as an example.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the TLS certificate charms available.

Summary

  • Enable TLS
  • Disable TLS
  • Manage certificates
    • Check certificates in use
    • Update keys

Enable TLS

First, deploy the TLS charm:

juju deploy self-signed-certificates

To enable TLS on postgresql, integrate the two applications:

juju integrate self-signed-certificates postgresql

Disable TLS

You can disable TLS by removing the integration.

juju remove-relation self-signed-certificates postgresql

Manage certificates

Check certificates in use

To check the certificates in use by PostgreSQL, you can run:

openssl s_client -starttls postgres -connect <leader_unit_IP>:<port> | grep issuer

Update keys

Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. Note that passing keys to external/internal keys should only be done with base64 -w0, not cat.

With three replicas, this schema should be followed:

Generate a shared internal key:

openssl genrsa -out internal-key.pem 3072

Generate external keys for each unit:

openssl genrsa -out external-key-0.pem 3072
openssl genrsa -out external-key-1.pem 3072
openssl genrsa -out external-key-2.pem 3072

Apply both private keys to each unit. The shared internal key will be applied only to the juju leader.

juju run postgresql/0 set-tls-private-key "external-key=$(base64 -w0 external-key-0.pem)"  "internal-key=$(base64 -w0 internal-key.pem)"  --wait
juju run postgresql/1 set-tls-private-key "external-key=$(base64 -w0 external-key-1.pem)"  "internal-key=$(base64 -w0 internal-key.pem)"  --wait
juju run postgresql/2 set-tls-private-key "external-key=$(base64 -w0 external-key-2.pem)"  "internal-key=$(base64 -w0 internal-key.pem)"  --wait

Updates can also be done with auto-generated keys:

juju run postgresql/0 set-tls-private-key
juju run postgresql/1 set-tls-private-key
juju run postgresql/2 set-tls-private-key