How to enable TLS encryption

This guide will show how to enable TLS/SSL on a PostgreSQL cluster using the self-signed-certificates operator as an example.

This guide assumes everything is deployed within the same network and Juju model.

See also: Deploy for external TLS VIP access

Enable TLS

Caution

Self-signed certificates are not recommended for a production environment.

Check this guide about X.509 certificates for an overview of all the TLS certificate charms available.

First, deploy the TLS charm:

juju deploy self-signed-certificates

To enable TLS integrate (formerly known as “relate”) the two applications:

juju integrate postgresql:client-certificates self-signed-certificates:certificates

Check certificates in use

To check the certificates in use by PostgreSQL, run

openssl s_client -starttls postgres -connect <leader_unit_IP>:<port> | grep issuer

Disable TLS

Disable TLS by removing the integration.

juju remove-relation postgresql:client-certificates self-signed-certificates:certificates