Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

Note: All commands are written for juju >= v.3.0

If you are using an earlier version, check the Juju 3.0 Release Notes.

How to enable TLS encryption

Disclaimer: In this guide, we use self-signed certificates provided by the self-signed-certificates operator.

This is not recommended for a production environment.

For production environments, check the collection of Charmhub operators that implement the tls-certificate interface, and choose the most suitable for your use-case.

Enable TLS

Deploy the TLS charm:

juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"

To enable TLS, integrate (formerly known as “relate”) the two applications:

juju integrate postgresql-k8s self-signed-certificates

Manage keys

Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. Note that passing keys to external/internal keys should only be done with base64 -w0, not cat.

With three replicas, this schema should be followed:

Generate a shared internal key:

openssl genrsa -out internal-key.pem 3072

Generate external keys for each unit:

openssl genrsa -out external-key-0.pem 3072
openssl genrsa -out external-key-1.pem 3072
openssl genrsa -out external-key-2.pem 3072

Apply both private keys to each unit. The shared internal key will be applied only to the juju leader.

juju run postgresql-k8s/0 set-tls-private-key "external-key=$(base64 -w0 external-key-0.pem)"  "internal-key=$(base64 -w0 internal-key.pem)" 
juju run postgresql-k8s/1 set-tls-private-key "external-key=$(base64 -w0 external-key-1.pem)"  "internal-key=$(base64 -w0 internal-key.pem)" 
juju run postgresql-k8s/2 set-tls-private-key "external-key=$(base64 -w0 external-key-2.pem)"  "internal-key=$(base64 -w0 internal-key.pem)" 

Updates can also be done with auto-generated keys with

juju run postgresql-k8s/0 set-tls-private-key
juju run postgresql-k8s/1 set-tls-private-key
juju run postgresql-k8s/2 set-tls-private-key

Disable TLS

You can disable TLS by removing the integration.

juju remove-relation self-signed-certificates postgresql-k8s

Last updated 6 months ago. Help improve this document in the forum.