Charmed PostgreSQL VM

Channel Revision Published Runs on
latest/stable 345 09 Nov 2023
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/stable 239 09 Feb 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/stable 226 01 Apr 2021
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
14/stable 468 11 Sep 2024
Ubuntu 22.04
14/stable 467 11 Sep 2024
Ubuntu 22.04
14/candidate 529 29 Nov 2024
Ubuntu 22.04
14/candidate 528 29 Nov 2024
Ubuntu 22.04
14/beta 529 28 Nov 2024
Ubuntu 22.04
14/beta 528 28 Nov 2024
Ubuntu 22.04
14/edge 531 29 Nov 2024
Ubuntu 22.04
14/edge 530 29 Nov 2024
Ubuntu 22.04
16/edge 527 27 Nov 2024
Ubuntu 24.04
16/edge 526 27 Nov 2024
Ubuntu 24.04
juju deploy postgresql --channel 14/edge
Show information

Platform:

Ubuntu
24.04 22.04 20.04 18.04 16.04 14.04

Charmed PostgreSQL VM Tutorial > 6. Enable encryption with TLS

Enable encryption with TLS

Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.

Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications requires a high level of expertise. This has all been encoded into Charmed PostgreSQL so that configuring TLS requires minimal effort on your end.

TLS is enabled by integrating Charmed PostgreSQL with the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.

In this section, you will learn how to enable security in your PostgreSQL deployment using TLS encryption.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the TLS certificates charms available.

Summary


Deploy TLS charm

Before enabling TLS on Charmed PostgreSQL VM, we must deploy the self-signed-certificates charm:

juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"

Wait until the self-signed-certificates is up and active, use juju status --watch 1s to monitor the progress:

Model     Controller  Cloud/Region         Version  SLA          Timestamp
tutorial  overlord    localhost/localhost  3.1.7    unsupported  10:31:40+01:00

App                        Version  Status  Scale  Charm                      Channel    Rev  Exposed  Message
postgresql                          active      2  postgresql                 14/stable  281  no       
self-signed-certificates            active      1  self-signed-certificates   stable     72   no       

Unit                          Workload  Agent  Machine  Public address  Ports  Message
postgresql/0*                 active    idle   0        10.89.49.129           Primary
postgresql/1                  active    idle   1        10.89.49.197           
self-signed-certificates/0*   active    idle   3        10.89.49.185           

Machine  State    Address       Inst id        Series  AZ  Message
0        started  10.89.49.129  juju-a8a31d-0  jammy       Running
1        started  10.89.49.197  juju-a8a31d-1  jammy       Running
4        started  10.89.49.185  juju-a8a31d-3  jammy       Running

Integrate with PostgreSQL

To enable TLS on Charmed PostgreSQL VM, integrate the two applications:

juju integrate postgresql self-signed-certificates

PostgreSQL is now using TLS certificate generated by the self-signed-certificates charm.

Check the TLS certificate in use

Use openssl to connect to the PostgreSQL and check the TLS certificate in use. Note that your leader unit’s IP address will likely be different to the one shown below:

> openssl s_client -starttls postgres -connect 10.89.49.129:5432 | grep Issuer
...
depth=1 C = US, CN = Tutorial CA
verify error:num=19:self-signed certificate in certificate chain
...

Remove TLS certificate

To remove the external TLS, remove the integration:

juju remove-relation postgresql self-signed-certificates

If you once again check the TLS certificates in use via the OpenSSL client, you will see something similar to the output below:

> openssl s_client -starttls postgres -connect 10.89.49.129:5432
...
no peer certificate available
---
No client certificate CA names sent
...

The Charmed PostgreSQL VM application is not using TLS anymore.

Next step: 7. Clean up environment


Help improve this document in the forum (guidelines). Last updated 2 months ago.