Charmed PostgreSQL VM
- Canonical
- Databases
Channel | Revision | Published | Runs on |
---|---|---|---|
latest/stable | 345 | 09 Nov 2023 | |
latest/stable | 239 | 09 Feb 2022 | |
latest/stable | 226 | 01 Apr 2021 | |
14/stable | 468 | 11 Sep 2024 | |
14/stable | 467 | 11 Sep 2024 | |
14/candidate | 468 | 02 Sep 2024 | |
14/candidate | 467 | 02 Sep 2024 | |
14/beta | 516 | 19 Nov 2024 | |
14/beta | 515 | 19 Nov 2024 | |
14/edge | 518 | 19 Nov 2024 | |
14/edge | 517 | 19 Nov 2024 |
juju deploy postgresql --channel 14/candidate
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
Charmed PostgreSQL VM Tutorial > 6. Enable encryption with TLS
Enable encryption with TLS
Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.
Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications requires a high level of expertise. This has all been encoded into Charmed PostgreSQL so that configuring TLS requires minimal effort on your end.
TLS is enabled by integrating Charmed PostgreSQL with the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.
In this section, you will learn how to enable security in your PostgreSQL deployment using TLS encryption.
Self-signed certificates are not recommended for a production environment.
Check this guide for an overview of the TLS certificates charms available.
Summary
- Deploy TLS charm
- Integrate with PostgreSQL
- Check the TLS certificates in use
- Remove TLS certificate
Deploy TLS charm
Before enabling TLS on Charmed PostgreSQL VM, we must deploy the self-signed-certificates
charm:
juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"
Wait until the self-signed-certificates
is up and active, use juju status --watch 1s
to monitor the progress:
Model Controller Cloud/Region Version SLA Timestamp
tutorial overlord localhost/localhost 3.1.7 unsupported 10:31:40+01:00
App Version Status Scale Charm Channel Rev Exposed Message
postgresql active 2 postgresql 14/stable 281 no
self-signed-certificates active 1 self-signed-certificates stable 72 no
Unit Workload Agent Machine Public address Ports Message
postgresql/0* active idle 0 10.89.49.129 Primary
postgresql/1 active idle 1 10.89.49.197
self-signed-certificates/0* active idle 3 10.89.49.185
Machine State Address Inst id Series AZ Message
0 started 10.89.49.129 juju-a8a31d-0 jammy Running
1 started 10.89.49.197 juju-a8a31d-1 jammy Running
4 started 10.89.49.185 juju-a8a31d-3 jammy Running
Integrate with PostgreSQL
To enable TLS on Charmed PostgreSQL VM, integrate the two applications:
juju integrate postgresql self-signed-certificates
PostgreSQL is now using TLS certificate generated by the self-signed-certificates
charm.
Check the TLS certificate in use
Use openssl
to connect to the PostgreSQL and check the TLS certificate in use. Note that your leader unit’s IP address will likely be different to the one shown below:
> openssl s_client -starttls postgres -connect 10.89.49.129:5432 | grep Issuer
...
depth=1 C = US, CN = Tutorial CA
verify error:num=19:self-signed certificate in certificate chain
...
Remove TLS certificate
To remove the external TLS, remove the integration:juju remove-relation postgresql self-signed-certificates
If you once again check the TLS certificates in use via the OpenSSL client, you will see something similar to the output below:
> openssl s_client -starttls postgres -connect 10.89.49.129:5432
...
no peer certificate available
---
No client certificate CA names sent
...
The Charmed PostgreSQL VM application is not using TLS anymore.
Next step: 7. Clean up environment