PgBouncer K8s Tutorial - Enable Security

Enable TLS for PgBouncer K8s

This is part of the PgBouncer K8s Tutorial. Please refer to this page for more information and the overview of the content.

Transport Layer Security (TLS)

Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.

Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications, requires domain-specific knowledge and a high level of expertise. This has all been encoded into Charmed PgBouncer. This means (re-)configuring TLS on this charm is readily available and requires minimal effort on your end.

Again, integrations come in handy here, as TLS is enabled by relating Charmed PostgreSQL to the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.

In this section, we will learn how to set up the pgbouncer, data-integrator, postgresql, and self-signed-certificates charms to enable TLS encryption.

Disclaimer: In this tutorial, we use self-signed certificates provided by the self-signed-certificates-operator.

This is not recommended for a production environment.

For production environments, check the collection of Charmhub operators that implement the tls-certificate interface, and choose the most suitable for your use-case.

Configure TLS

Before enabling TLS on Charmed PostgreSQL VM, we must deploy the self-signed-certificates charm:

juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"

Wait until the self-signed-certificates is up and active, using juju status --watch 1s to monitor the progress:

Model   Controller  Cloud/Region        Version  SLA          Timestamp
test16  microk8s    microk8s/localhost  3.1.6    unsupported  22:24:20+02:00

App                        Version  Status   Scale  Charm                      Channel        Rev  Address         Exposed  Message
data-integrator                     active       1  data-integrator            stable          13  10.152.183.136  no       
pgbouncer-k8s              1.18.0   active       2  pgbouncer-k8s              1/stable        76  10.152.183.84   no       
postgresql-k8s             14.9     active       2  postgresql-k8s             14/stable      158  10.152.183.92   no       
self-signed-certificates            active       1  self-signed-certificates   stable          72  10.152.183.87   no       

Unit                          Workload  Agent  Address     Ports  Message
data-integrator/0*            active    idle   10.1.12.16         
pgbouncer-k8s/0*              active    idle   10.1.12.15         
pgbouncer-k8s/1               active    idle   10.1.12.61         
postgresql-k8s/0*             active    idle   10.1.12.6          Primary
postgresql-k8s/1              active    idle   10.1.12.35         
self-signed-certificates/0*   active    idle   10.1.12.44 

Add external TLS certificate

To enable TLS on PgBouncer, relate the two applications:

juju relate pgbouncer-k8s self-signed-certificates

Check the TLS certificate in use:

Use openssl to connect to the PostgreSQL through PgBouncer and check the TLS certificate in use:

> openssl s_client -starttls postgres -connect 10.152.183.84:6432  | grep Issue
depth=1 C = US, CN = Tutorial CA
verify error:num=19:self-signed certificate in certificate chain

Congratulations! Your connection is now using TLS certificate generated by the external application self-signed-certificates.

Remove external TLS certificate

To remove the external TLS and return to the locally generated one, un-relate applications:

juju remove-relation pgbouncer-k8s self-signed-certificates

Check the TLS certificate in use:

> openssl s_client -starttls postgres -connect 10.152.183.84:6432  | grep Issue

The connection will fail due to missing SSL without self-signed-certificates.