Charmed OpenSearch Tutorial | Enable TLS encryption

Charmed OpenSearch Tutorial > 3. Enable TLS encryption

Enable encryption with TLS

Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.

Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications requires a high level of expertise. This has all been encoded into Charmed OpenSearch so that configuring TLS requires minimal effort on your end.

TLS is enabled by integrating Charmed OpenSearch with the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.

In this section, you will learn how to enable security in your OpenSearch deployment using TLS encryption.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the TLS certificates charms available.


Configure TLS

Before enabling TLS on Charmed OpenSearch we must first deploy the self-signed-certificates charm:

juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"

Wait until self-signed-certificates is active. Use juju status --watch 1s to monitor the progress.

Model     Controller       Cloud/Region         Version  SLA          Timestamp
tutorial  opensearch-demo  localhost/localhost  3.5.3    unsupported  13:22:05Z

App                       Version  Status   Scale  Charm                     Channel        Rev  Exposed  Message
opensearch                         blocked      1  opensearch                2/beta         117  no       Missing TLS relation with this cluster.
self-signed-certificates           active       1  self-signed-certificates  latest/stable  155  no

Unit                         Workload  Agent  Machine  Public address  Ports  Message
opensearch/0*                blocked   idle   0        10.214.176.107         Missing TLS relation with this cluster.
self-signed-certificates/0*  active    idle   1        10.214.176.116

Machine  State    Address         Inst id        Base          AZ  Message
0        started  10.214.176.107  juju-b0826b-0  ubuntu@22.04      Running
1        started  10.214.176.116  juju-b0826b-1  ubuntu@22.04      Running

Integrate with OpenSearch

To enable TLS on Charmed OpenSearch, you must integrate (also known as “relate”) the two applications. We will go over integrations in more detail in the next page of this tutorial.

To integrate self-signed-certificates with opensearch, run the following command:

juju integrate self-signed-certificates opensearch

The OpenSearch service will start. This might take some time. Once done, you can see the new integrations with juju status --relations.

Model     Controller       Cloud/Region         Version  SLA          Timestamp
tutorial  opensearch-demo  localhost/localhost  3.5.3    unsupported  13:23:24Z

App                       Version  Status  Scale  Charm                     Channel        Rev  Exposed  Message
opensearch                         active      1  opensearch                2/beta         117  no
self-signed-certificates           active      1  self-signed-certificates  latest/stable  155  no

Unit                         Workload  Agent  Machine  Public address  Ports     Message
opensearch/0*                active    idle   0        10.214.176.107  9200/tcp
self-signed-certificates/0*  active    idle   1        10.214.176.116

Machine  State    Address         Inst id        Base          AZ  Message
0        started  10.214.176.107  juju-b0826b-0  ubuntu@22.04      Running
1        started  10.214.176.116  juju-b0826b-1  ubuntu@22.04      Running

Integration provider                   Requirer                       Interface           Type     Message
opensearch:node-lock-fallback          opensearch:node-lock-fallback  node_lock_fallback  peer
opensearch:opensearch-peers            opensearch:opensearch-peers    opensearch_peers    peer
opensearch:upgrade-version-a           opensearch:upgrade-version-a   upgrade             peer
self-signed-certificates:certificates  opensearch:certificates        tls-certificates    regular

Notice the last relation: self-signed-certificates:certificates opensearch:certificates tls-certificates regular.

Next step: 4. Integrate with a client application