Enable TLS for PgBouncer K8s
This is part of the PgBouncer K8s Tutorial. Please refer to this page for more information and the overview of the content.
Transport Layer Security (TLS)
Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.
Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. This has all been encoded into Charmed PgBouncer. This means (re-)configuring TLS on this charm is readily available and requires minimal effort on your end.
Again, integrations come in handy here, as TLS is enabled by relating Charmed PostgreSQL to the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.
In this section, we will learn how to set up the pgbouncer, data-integrator, postgresql, and self-signed-certificates charms to enable TLS encryption.
Disclaimer: In this tutorial, we use self-signed certificates provided by the self-signed-certificates-operator.
This is not recommended for a production environment.
For production environments, check the collection of Charmhub operators that implement the tls-certificate interface, and choose the most suitable for your use-case.
Configure TLS
Before enabling TLS on Charmed PostgreSQL VM, we must deploy the self-signed-certificates charm:
juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"
Wait until the self-signed-certificates is up and active, using juju status --watch 1s to monitor the progress:
Model Controller Cloud/Region Version SLA Timestamp
test16 microk8s microk8s/localhost 3.1.6 unsupported 22:24:20+02:00
App Version Status Scale Charm Channel Rev Address Exposed Message
data-integrator active 1 data-integrator stable 13 10.152.183.136 no
pgbouncer-k8s 1.18.0 active 2 pgbouncer-k8s 1/stable 76 10.152.183.84 no
postgresql-k8s 14.9 active 2 postgresql-k8s 14/stable 158 10.152.183.92 no
self-signed-certificates active 1 self-signed-certificates stable 72 10.152.183.87 no
Unit Workload Agent Address Ports Message
data-integrator/0* active idle 10.1.12.16
pgbouncer-k8s/0* active idle 10.1.12.15
pgbouncer-k8s/1 active idle 10.1.12.61
postgresql-k8s/0* active idle 10.1.12.6 Primary
postgresql-k8s/1 active idle 10.1.12.35
self-signed-certificates/0* active idle 10.1.12.44
Add external TLS certificate
To enable TLS on PgBouncer, relate the two applications:
juju relate pgbouncer-k8s self-signed-certificates
Check the TLS certificate in use:
Use openssl to connect to the PostgreSQL through PgBouncer and check the TLS certificate in use:
> openssl s_client -starttls postgres -connect 10.152.183.84:6432 | grep Issue
depth=1 C = US, CN = Tutorial CA
verify error:num=19:self-signed certificate in certificate chain
Congratulations! Your connection is now using TLS certificate generated by the external application self-signed-certificates.
Remove external TLS certificate
To remove the external TLS and return to the locally generated one, un-relate applications:
juju remove-relation pgbouncer-k8s self-signed-certificates
Check the TLS certificate in use:
> openssl s_client -starttls postgres -connect 10.152.183.84:6432 | grep Issue
The connection will fail due to missing SSL without self-signed-certificates.