Charmed PostgreSQL K8s Tutorial | 7. Enable TLS

Charmed PostgreSQL K8s Tutorial > 7. Enable TLS

Enable encryption with TLS

Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.

Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. This has all been encoded into Charmed PostgreSQL K8s. This means (re-)configuring TLS on Charmed PostgreSQL K8s is readily available and requires minimal effort on your end.

Again, integrations come in handy here as TLS is enabled by relating Charmed PostgreSQL K8s to the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.

In this part of the tutorial, you will learn how to enable security in your PostgreSQL deployment using TLS encryption.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the TLS certificates charms available.


Deploy TLS charm

Before enabling TLS on Charmed PostgreSQL K8s, we must deploy the self-signed-certificates charm:

juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"
Wait until the self-signed-certificates is up and active by using juju status --watch 1s to monitor the deployment status
Model     Controller  Cloud/Region        Version  SLA          Timestamp
tutorial  charm-dev   microk8s/localhost  3.1.7    unsupported  12:18:05+01:00

App                        Version  Status   Scale  Charm                      Channel    Rev  Address         Exposed  Message
postgresql-k8s                      active       2  postgresql-k8s             14/stable  56  no
self-signed-certificates            active       1  self-signed-certificates   stable     72  no

Unit                          Workload    Agent  Address       Ports  Message
postgresql-k8s/0*             active      idle         Primary
postgresql-k8s/1              active      idle
self-signed-certificates/0*   active      idle

Integrate with PostgreSQL

To enable TLS on Charmed PostgreSQL K8s, integrate the two applications:

juju integrate postgresql-k8s self-signed-certificates

Check the TLS certificate in use

Use openssl to connect to the PostgreSQL and check the TLS certificate in use:

> openssl s_client -starttls postgres -connect | grep Issuer
depth=1 C = US, CN = Tutorial CA
verify error:num=19:self-signed certificate in certificate chain

Congratulations! PostgreSQL is now using TLS certificate generated by the external application tls-certificates-operator.

Remove TLS certificate

To remove the external TLS, remove the integration:

juju remove-relation postgresql-k8s self-signed-certificates

If you once again check the TLS certificates in use via the OpenSSL client, you will see something similar to the output below:

> openssl s_client -starttls postgres -connect
no peer certificate available
No client certificate CA names sent

The Charmed PostgreSQL K8s application is not using TLS anymore.

Next step: 8. Clean up environment