Charmed PostgreSQL
- By Canonical Data Platform
- Databases
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/stable | 290 | 19 Apr 2023 | |
| 14/stable | 288 | 18 Apr 2023 | |
| 14/candidate | 288 | 18 Apr 2023 | |
| 14/beta | 288 | 18 Apr 2023 | |
| 14/edge | 297 | 19 May 2023 |
juju deploy postgresql --channel 14/stable
You will need Juju 2.9 to be able to run this command. Learn how to upgrade to Juju 2.9.
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
Enable Security in your PostgreSQL deployment
This is part of the Charmed PostgreSQL Tutorial. Please refer to this page for more information and the overview of the content.
Transport Layer Security (TLS)
TLS is used to encrypt data exchanged between two applications; it secures data transmitted over the network. Typically, enabling TLS within a highly available database, and between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. Fortunately, the domain-specific knowledge has been encoded into Charmed PostgreSQL. This means (re-)configuring TLS on Charmed PostgreSQL is readily available and requires minimal effort on your end.
Again, relations come in handy here as TLS is enabled via relations; i.e. by relating Charmed PostgreSQL to the TLS Certificates Charm. The TLS Certificates Charm centralises TLS certificate management in a consistent manner and handles providing, requesting, and renewing TLS certificates.
Configure TLS
Before enabling TLS on Charmed PostgreSQL we must first deploy the tls-certificates-operator charm:
juju deploy tls-certificates-operator --config generate-self-signed-certificates="true" --config ca-common-name="Tutorial CA"
Wait until the tls-certificates-operator is up and active, use juju status --watch 1s to monitor the progress:
Model Controller Cloud/Region Version SLA Timestamp
tutorial overlord localhost/localhost 2.9.42 unsupported 10:31:40+01:00
App Version Status Scale Charm Channel Rev Exposed Message
postgresql active 2 postgresql 14/stable 281 no
tls-certificates-operator active 1 tls-certificates-operator stable 22 no
Unit Workload Agent Machine Public address Ports Message
postgresql/0* active idle 0 10.89.49.129 Primary
postgresql/1 active idle 1 10.89.49.197
tls-certificates-operator/0* active idle 4 10.89.49.185
Machine State Address Inst id Series AZ Message
0 started 10.89.49.129 juju-a8a31d-0 jammy Running
1 started 10.89.49.197 juju-a8a31d-1 jammy Running
4 started 10.89.49.185 juju-a8a31d-4 jammy Running
Note: this tutorial uses self-signed certificates; self-signed certificates should not be used in a production cluster.
To enable TLS on Charmed PostgreSQL, relate the two applications:
juju relate postgresql tls-certificates-operator
Add external TLS certificate
Use openssl to connect to the PostgreSQL and check the TLS certificate in use:
> openssl s_client -starttls postgres -connect 10.89.49.129:5432 | grep Issuer
...
depth=1 C = US, CN = Tutorial CA
verify error:num=19:self-signed certificate in certificate chain
...
Congratulations! PostgreSQL is now using TLS certificate generated by the external application tls-certificates-operator.
Remove external TLS certificate
To remove the external TLS certificate, unrelate applications:
juju remove-relation postgresql tls-certificates-operator
Check the TLS certificate in use:
> openssl s_client -starttls postgres -connect 10.89.49.129:5432
...
no peer certificate available
---
No client certificate CA names sent
...
The Charmed PostgreSQL application is not using TLS anymore.
Help us improve this documentation
Most of this documentation can be collaboratively discussed and changed on the respective topic in the doc category of the Charmhub forum. See the documentation guidelines if you’d like to contribute.