PgBouncer Tutorial - Enable Security

This is part of the PgBouncer Tutorial

Enable TLS

Transport Layer Security (TLS)

Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.

Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. This has all been encoded into Charmed PgBouncer. This means (re-)configuring TLS on this charm is readily available and requires minimal effort on your end.

Again, integrations come in handy here, as TLS is enabled by relating Charmed PostgreSQL to the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.

In this section, we will learn how to set up the pgbouncer, data-integrator, postgresql, and self-signed-certificates charms to enable TLS encryption.

Disclaimer: In this tutorial, we use self-signed certificates provided by the self-signed-certificates-operator.

This is not recommended for a production environment.

For production environments, check the collection of Charmhub operators that implement the tls-certificate interface, and choose the most suitable for your use-case.

Configure TLS

Before enabling TLS on Charmed PostgreSQL VM, we must deploy the self-signed-certificates charm:

juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"

Wait until the self-signed-certificates is up and active, using juju status --watch 1s to monitor the progress:

Model     Controller  Cloud/Region         Version  SLA          Timestamp
tutorial  overlord    localhost/localhost  3.1.7    unsupported  13:56:00+01:00

App                       Version  Status  Scale  Charm                     Channel    Rev  Exposed  Message     
data-integrator                    active      1  data-integrator           stable      19  no                                             
pgbouncer                 1.21.0   active      1  pgbouncer                 1/stable    88  no                                     
postgresql                14.10    active      2  postgresql                14/stable  363  no                                             
self-signed-certificates           active      1  self-signed-certificates  stable      72  no     
                                                                                                                               
Unit                         Workload  Agent  Machine  Public address  Ports     Message                                       
data-integrator/0*           active    idle   4        10.89.24.109                                                               
  pgbouncer/0*               active    idle            10.89.24.109                                                                        
postgresql/0*                active    idle   0        10.89.24.187    5432/tcp  Primary                                                   
postgresql/1                 active    idle   1        10.89.24.149    5432/tcp                                                 
self-signed-certificates/0*  active    idle   3        10.89.24.189                                                                        
                                                                                               
Machine  State    Address       Inst id        Base          AZ  Message                    
0        started  10.89.24.187  juju-151b7f-0  ubuntu@22.04      Running                            
1        started  10.89.24.149  juju-151b7f-1  ubuntu@22.04      Running                  
3        started  10.89.24.189  juju-151b7f-3  ubuntu@22.04      Running                  
4        started  10.89.24.109  juju-151b7f-4  ubuntu@22.04      Running                  

Add external TLS certificate

Since we are using the external application data-integrator, PgBouncer will open a port to listen to TCP traffic. In this case, because PgBouncer is exposed, it is recommended to enable TLS encryption.

Enable TLS for PgBouncer by integrating it with self-signed-certificates:

juju integrate pgbouncer self-signed-certificates

Enable TLS the same way for PostgreSQL:

juju integrate postgresql self-signed-certificates

Congratulations! Your connections between data-integrator and PgBouncer and between PgBouncer and PostgreSQL is now using TLS certificate generated by the external application self-signed-certificates.

Remove external TLS certificate

To remove the TLS certificates, simply remove the integrations:

juju remove-relation pgbouncer self-signed-certificates
juju remove-relation postgresql self-signed-certificates