Charmed PostgreSQL VM

Channel Revision Published Runs on
latest/stable 345 09 Nov 2023
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04
14/stable 363 21 Feb 2024
Ubuntu 22.04
14/candidate 363 31 Jan 2024
Ubuntu 22.04
14/beta 368 21 Feb 2024
Ubuntu 22.04
14/edge 369 23 Feb 2024
Ubuntu 22.04
juju deploy postgresql --channel 14/stable
Show information

Platform:

Ubuntu
22.04

Enable security with TLS

Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.

Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. This has all been encoded into Charmed PostgreSQL VM. This means (re-)configuring TLS on Charmed PostgreSQL VM is readily available and requires minimal effort on your end.

Again, integrations come in handy here as TLS is enabled by relating Charmed PostgreSQL VM to the TLS Certificates Charm. The TLS Certificates Charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.

In this section, you will learn how to enable security in your PostgreSQL deployment using TLS encryption.

This is part of the Charmed PostgreSQL VM Tutorial.

Please refer to the Overview for more information.

Note: All commands are written for juju >= v.3.0

If you are using an earlier version, be aware that:

  • juju run replaces juju run-action in juju v.2.9
  • juju integrate replaces juju relate and juju add-relation in juju v.2.9

For more information, check the Juju 3.0 Release Notes.

Configure TLS

Before enabling TLS on Charmed PostgreSQL VM, we must deploy the tls-certificates-operator charm:

juju deploy tls-certificates-operator --config generate-self-signed-certificates="true" --config ca-common-name="Tutorial CA"

Wait until the tls-certificates-operator is up and active, use juju status --watch 1s to monitor the progress:

Model     Controller  Cloud/Region         Version  SLA          Timestamp
tutorial  overlord    localhost/localhost  2.9.42   unsupported  10:31:40+01:00

App                        Version  Status  Scale  Charm                      Channel    Rev  Exposed  Message
postgresql                          active      2  postgresql                 14/stable  281  no       
tls-certificates-operator           active      1  tls-certificates-operator  stable     22   no       

Unit                          Workload  Agent  Machine  Public address  Ports  Message
postgresql/0*                 active    idle   0        10.89.49.129           Primary
postgresql/1                  active    idle   1        10.89.49.197           
tls-certificates-operator/0*  active    idle   4        10.89.49.185           

Machine  State    Address       Inst id        Series  AZ  Message
0        started  10.89.49.129  juju-a8a31d-0  jammy       Running
1        started  10.89.49.197  juju-a8a31d-1  jammy       Running
4        started  10.89.49.185  juju-a8a31d-4  jammy       Running

This tutorial uses self-signed certificates. Self-signed certificates should not be used in a production cluster.

Add external TLS certificate

To enable TLS on Charmed PostgreSQL VM, integrate the two applications:

juju integrate postgresql tls-certificates-operator

Check the TLS certificate in use:

Use openssl to connect to the PostgreSQL and check the TLS certificate in use:

> openssl s_client -starttls postgres -connect 10.89.49.129:5432 | grep Issuer
...
depth=1 C = US, CN = Tutorial CA
verify error:num=19:self-signed certificate in certificate chain
...

Congratulations! PostgreSQL is now using TLS certificate generated by the external application tls-certificates-operator.

Remove external TLS certificate

To remove the external TLS, remove the integration:

juju remove-relation postgresql tls-certificates-operator

Check the TLS certificate in use:

> openssl s_client -starttls postgres -connect 10.89.49.129:5432
...
no peer certificate available
---
No client certificate CA names sent
...

The Charmed PostgreSQL VM application is not using TLS anymore.