Charmed OpenSearch How-To | Enable TLS encryption

How to enable TLS encryption

This guide will show how to enable TLS using the self-signed-certificates operator as an example.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the signed and self-signed certificate charms available.

Summary


Enable TLS

First, deploy the TLS charm and configure the name of the Certificate Authority:

juju deploy self-signed-certificates --config ca-common-name="My CA"

To enable TLS on Charmed OpenSearch, integrate the two applications:

juju integrate self-signed-certificates opensearch

After the deployment has settled, you can see the relation by running juju status --relations .

Disable TLS

TLS is a requirement for Charmed OpenSearch, therefore TLS should not be disabled.

Manage certificates

Check certificates in use

To check the certificates in use by OpenSearch, you can run:

openssl s_client -showcerts -connect `leader_unit_IP:port` < /dev/null | grep issuer

Update keys

Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. Charmed OpenSearch uses three types of certificates:

  • app-admin: used for administrative actions on opensearch
  • unit-transport: used for internal communication between opensearch nodes
  • unit-http: used for external communication between opensearch and clients (users or applications)

The private key for app-admin can only be applied on the leader-unit.

Updates to each of these can be done with auto-generated keys:

juju run opensearch/leader set-tls-private-key category=app-admin
juju run opensearch/leader set-tls-private-key category=unit-transport
juju run opensearch/leader set-tls-private-key category=unit-http

It is also possible to use self-generated keys:

openssl genrsa -out unit-http.pem 3072
openssl genrsa -out unit-transport.pem 3072
openssl genrsa -out app-admin.pem 3072

Apply the private key for app-admin to the juju leader:

juju run opensearch/leader set-tls-private-key category=app-admin key="$(base64 -w0 app-admin.pem)"

Apply the private keys for unit-transport and unit-http to all units (including the leader):

juju run opensearch/leader set-tls-private-key category=unit-http key="$(base64 -w0 unit-http.pem)"
juju run opensearch/leader set-tls-private-key category=unit-transport key="$(base64 -w0 unit-transport.pem)"