Charmed PostgreSQL

Channel Revision Published Runs on
latest/stable 316 11 Aug 2023
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04
14/stable 288 18 Apr 2023
Ubuntu 22.04
14/candidate 326 19 Sep 2023
14/beta 330 27 Sep 2023
14/edge 330 26 Sep 2023
juju deploy postgresql --channel 14/stable
Show information



Enable Security in your PostgreSQL deployment

This is part of the Charmed PostgreSQL Tutorial. Please refer to this page for more information and the overview of the content.

Transport Layer Security (TLS)

TLS is used to encrypt data exchanged between two applications; it secures data transmitted over the network. Typically, enabling TLS within a highly available database, and between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. Fortunately, the domain-specific knowledge has been encoded into Charmed PostgreSQL. This means (re-)configuring TLS on Charmed PostgreSQL is readily available and requires minimal effort on your end.

Again, relations come in handy here as TLS is enabled via relations; i.e. by relating Charmed PostgreSQL to the TLS Certificates Charm. The TLS Certificates Charm centralises TLS certificate management in a consistent manner and handles providing, requesting, and renewing TLS certificates.

Configure TLS

Before enabling TLS on Charmed PostgreSQL we must first deploy the tls-certificates-operator charm:

juju deploy tls-certificates-operator --config generate-self-signed-certificates="true" --config ca-common-name="Tutorial CA"

Wait until the tls-certificates-operator is up and active, use juju status --watch 1s to monitor the progress:

Model     Controller  Cloud/Region         Version  SLA          Timestamp
tutorial  overlord    localhost/localhost  2.9.42   unsupported  10:31:40+01:00

App                        Version  Status  Scale  Charm                      Channel    Rev  Exposed  Message
postgresql                          active      2  postgresql                 14/stable  281  no       
tls-certificates-operator           active      1  tls-certificates-operator  stable     22   no       

Unit                          Workload  Agent  Machine  Public address  Ports  Message
postgresql/0*                 active    idle   0           Primary
postgresql/1                  active    idle   1           
tls-certificates-operator/0*  active    idle   4           

Machine  State    Address       Inst id        Series  AZ  Message
0        started  juju-a8a31d-0  jammy       Running
1        started  juju-a8a31d-1  jammy       Running
4        started  juju-a8a31d-4  jammy       Running

Note: this tutorial uses self-signed certificates; self-signed certificates should not be used in a production cluster.

Add external TLS certificate

To enable TLS on Charmed PostgreSQL, relate the two applications:

juju relate postgresql tls-certificates-operator

Check the TLS certificate in use:

Use openssl to connect to the PostgreSQL and check the TLS certificate in use:

> openssl s_client -starttls postgres -connect | grep Issuer
depth=1 C = US, CN = Tutorial CA
verify error:num=19:self-signed certificate in certificate chain

Congratulations! PostgreSQL is now using TLS certificate generated by the external application tls-certificates-operator.

Remove external TLS certificate

To remove the external TLS certificate, unrelate applications:

juju remove-relation postgresql tls-certificates-operator

Check the TLS certificate in use:

> openssl s_client -starttls postgres -connect
no peer certificate available
No client certificate CA names sent

The Charmed PostgreSQL application is not using TLS anymore.

Help us improve this documentation

Most of this documentation can be collaboratively discussed and changed on the respective topic in the doc category of the Charmhub forum. See the documentation guidelines if you’d like to contribute.

Last updated 3 days ago. Help improve this document in the forum.