Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

Charmed OpenSearch Tutorial > 3. Enable TLS encryption

Enable encryption with TLS

Transport Layer Security (TLS) is a protocol used to encrypt data exchanged between two applications. Essentially, it secures data transmitted over a network.

Typically, enabling TLS internally within a highly available database or between a highly available database and client/server applications requires a high level of expertise. This has all been encoded into Charmed OpenSearch so that configuring TLS requires minimal effort on your end.

TLS is enabled by integrating Charmed OpenSearch with the Self Signed Certificates Charm. This charm centralises TLS certificate management consistently and handles operations like providing, requesting, and renewing TLS certificates.

In this section, you will learn how to enable security in your OpenSearch deployment using TLS encryption.

Self-signed certificates are not recommended for a production environment.

Check this guide for an overview of the TLS certificates charms available.


Configure TLS

Before enabling TLS on Charmed OpenSearch we must first deploy the self-signed-certificates charm:

juju deploy self-signed-certificates --config ca-common-name="Tutorial CA"

Wait until self-signed-certificates is active. Use juju status --watch 1s to monitor the progress.

Model     Controller       Cloud/Region         Version  SLA          Timestamp
tutorial  opensearch-demo  localhost/localhost  3.5.3    unsupported  12:39:22Z

App                       Version  Status   Scale  Charm                     Channel        Rev  Exposed  Message
opensearch                         blocked      3  opensearch                2/beta         117  no       Missing TLS relation with this cluster.
self-signed-certificates           active       1  self-signed-certificates  latest/stable  155  no

Unit                         Workload  Agent  Machine  Public address  Ports  Message
opensearch/0*                blocked   idle   0        10.95.38.94            Missing TLS relation with this cluster.
opensearch/1                 blocked   idle   1        10.95.38.139           Missing TLS relation with this cluster.
opensearch/2                 blocked   idle   2        10.95.38.212           Missing TLS relation with this cluster.
self-signed-certificates/0*  active    idle   3        10.95.38.54

Machine  State    Address       Inst id        Base          AZ  Message
0        started  10.95.38.94   juju-be3883-0  ubuntu@22.04      Running
1        started  10.95.38.139  juju-be3883-1  ubuntu@22.04      Running
2        started  10.95.38.212  juju-be3883-2  ubuntu@22.04      Running
3        started  10.95.38.54   juju-be3883-3  ubuntu@22.04      Running

Integrate with OpenSearch

To enable TLS on Charmed OpenSearch, you must integrate (also known as “relate”) the two applications. We will go over integrations in more detail in the next page of this tutorial.

To integrate self-signed-certificates with opensearch, run the following command:

juju integrate self-signed-certificates opensearch

The OpenSearch service will start. This might take some time. Once done, you can see the new integrations with juju status --relations.

Model     Controller       Cloud/Region         Version  SLA          Timestamp
tutorial  opensearch-demo  localhost/localhost  3.5.3    unsupported  12:41:22Z

App                       Version  Status  Scale  Charm                     Channel        Rev  Exposed  Message
opensearch                         active      3  opensearch                2/beta         117  no
self-signed-certificates           active      1  self-signed-certificates  latest/stable  155  no

Unit                         Workload  Agent  Machine  Public address  Ports     Message
opensearch/0*                active    idle   0        10.95.38.94     9200/tcp
opensearch/1                 active    idle   1        10.95.38.139    9200/tcp
opensearch/2                 active    idle   2        10.95.38.212    9200/tcp
self-signed-certificates/0*  active    idle   3        10.95.38.54

Machine  State    Address       Inst id        Base          AZ  Message
0        started  10.95.38.94   juju-be3883-0  ubuntu@22.04      Running
1        started  10.95.38.139  juju-be3883-1  ubuntu@22.04      Running
2        started  10.95.38.212  juju-be3883-2  ubuntu@22.04      Running
3        started  10.95.38.54   juju-be3883-3  ubuntu@22.04      Running

Integration provider                   Requirer                       Interface           Type     Message
opensearch:node-lock-fallback          opensearch:node-lock-fallback  node_lock_fallback  peer
opensearch:opensearch-peers            opensearch:opensearch-peers    opensearch_peers    peer
opensearch:upgrade-version-a           opensearch:upgrade-version-a   upgrade             peer
self-signed-certificates:certificates  opensearch:certificates        tls-certificates    regular

Notice the last relation: self-signed-certificates:certificates opensearch:certificates tls-certificates regular.

Next step: 4. Integrate with a client application

Last updated a month ago. Help improve this document in the forum.