Added JIMM and controller bundles.

charms/bundles/controller/README.md

@@ -0,0 +1,30 @@
+Controller Bundle
+=================
+
+This bundle deploys a highly-available controller system, suitable for use in JAAS.
+
+Prerequisits
+------------
+
+In order to deploy the bundle the following configuration items need to
+be prepared:
+
+### TLS Certificates
+
+Get appropriate certificates from your CA and store the certificate
+chain in `LOCAL/controller.crt`, and the private key in `LOCAL/controller.key`.
+
+Deployment
+----------
+
+This bundle needs to be deployed on top of an already existing controller
+model.
+
+To bootstrap an appropriate model run commands like the following:
+    juju bootstrap --bootstrap-constraints="cores=8 mem=8G root-disk=50G" --config identity-url=<candid URL> --config allow-model-access=true --config public-dns-address=<DNS of the controller>:443 <cloud>/<region> <name> 
+    juju enable-ha -n 3
+    juju switch controller
+
+To deploy the bundle into the model run:
+
+    juju deploy --map-machines=existing ./bundle.yaml --overlay overlay-certificate.yaml

charms/bundles/controller/bundle.yaml

@@ -0,0 +1,20 @@
+applications:
+  controller:
+    charm: ch:juju-controller
+  haproxy:
+    charm: ch:haproxy
+    num_units: 1
+    constraints: cores=1 mem=4G root-disk=30G
+    expose: true
+    series: focal
+    options:
+      default_mode: tcp
+      enable_monitoring: True
+      services: include-file://config/haproxy.yaml
+      peering_mode: active-active
+  ntp:
+    charm: ch:ntp
+relations:
+  - ["ntp", "haproxy"]
+  - ["ntp", "controller"]
+  - ["controller", "haproxy"]

charms/bundles/controller/config/haproxy.yaml

@@ -0,0 +1,16 @@
+- service_name: app-controller
+  service_host: "0.0.0.0"
+  service_port: 443
+  service_options:
+    - mode http
+    - balance leastconn
+    - option httpchk GET / HTTP/1.1\r\nHost:\ juju-apiserver\r\nConnection:\ Upgrade\r\nUpgrade:\ websocket\r\nSec-WebSocket-Key:\ aGFwcm94eQ==\r\nSec-WebSocket-Version:\ 13\r\nSec-WebSocket-Protocol:\ echo-protocol
+    - http-check expect status 101
+  server_options: ssl verify none check
+  crts: [DEFAULT]
+- service_name: api_http
+  service_host: "0.0.0.0"
+  service_port: 80
+  service_options:
+    - mode http
+    - http-request redirect scheme https

charms/bundles/controller/overlay-certbot.yaml

@@ -0,0 +1,10 @@
+# overlay-certbot.yaml
+# Overlay for deploying certbot to manage TLS certificates for a controller.
+applications:
+  certbot:
+    charm: ch:certbot
+    options:
+      combined-path: /var/lib/haproxy/default.pem
+      deploy-command: systemctl reload haproxy
+relations:
+  - ["certbot", "haproxy"]

charms/bundles/controller/overlay-certificate.yaml

@@ -0,0 +1,18 @@
+# overlay-certificate.yaml
+# Overlay for configuring TLS certificates on the controller.
+applications:
+  haproxy:
+    options:
+      # Only the required options are included here, for the full set
+      # of available options see https://jaas.ai/haproxy.
+      #
+      # ssl_cert contains the certificate chain for the controller's
+      # DNS name. The file (./LOCAL/controller.crt by default) should
+      # contain the PEM encoded host certificate followed by any necessary
+      # intermediate certificates.
+      ssl_cert: include-base64://LOCAL/controller.crt
+      #
+      # ssl_key contains the PEM encoded private key that is signed in
+      # the host certificate provided in ssl_cert. This private key must
+      # be un-encrypted.
+      ssl_key: include-base64://LOCAL/controller.key

charms/bundles/controller/overlay-minimal.yaml

@@ -0,0 +1,13 @@
+# overlay-minimal.yaml
+# Overlay which defines a minimal deployment for use in testing or demo
+# deployments.
+applications:
+  controller:
+    num_units: 1
+    to:
+    - "0"
+  haproxy:
+    num_units: 1
+    constraints: cores=1
+machines:
+  "0":

charms/bundles/jimm/README.md

@@ -0,0 +1,63 @@
+JIMM Bundle
+===========
+
+This bundle deploys a highly-available JIMM system.
+
+Prerequisits
+------------
+
+In order to deploy the bundle a number of configuration items need to
+be prepared:
+
+### Identity-Location
+
+JIMM needs to know the location of the candid service that will provide
+the identity service. Configure the `identity-location` parameter in
+`local.yaml` to configure this.
+
+### Controller-Admin
+
+In order to add models to the controller users need to be in the
+controller admin group. An appropriate group needs to be identified,
+or created, in the customers identity provider and configured as the
+`controller-admin` parameter in `local.yaml`. If this is not present
+then no controllers can be added to the JAAS system.
+
+### Controller UUID
+
+The UUID of the JAAS controller needs to be configured. A suitable UUID
+can be created using `uuidgen`.
+
+### `LOCAL/agent-username`, `LOCAL/agent-private-key` & `LOCAL/agent-public-key`
+
+An agent user needs to be created in candid for JIMM to use to query
+user information. To create such an agent admin access to the candid
+service is required, most commonly this would be through the candid CLI
+using the admin agent created when deploying the candid service. A new
+agent is created using a command like:
+
+    CANDID_URL=https://candid.example.com candid -a admin.agent create-agent grouplist@candid
+
+This will display a json file containing the username along with both
+the public and private keys. Copy these values into the respective files
+in LOCAL.
+
+### TLS Certificates
+
+Get appropriate certificates from your CA and store the certificate
+chain in `LOCAL/jimm.crt`, and the private key in `LOCAL/jimm.key`.
+
+Deployment
+----------
+
+The bundle has some deployment options. To deploy just the base bundle,
+with all required secrets, run:
+
+    juju deploy ./bundle.yaml --overlay local.yaml
+
+If prometheus monitoring is also required in the model then run:
+
+    juju deploy ./bundle.yaml --overlay local.yaml --overlay overlay-prometheus.yaml
+
+Note that this command can be run on a previously deployed base system to
+"upgrade" it to provide prometheus.

charms/bundles/jimm/bundle.yaml

@@ -0,0 +1,31 @@
+applications:
+  haproxy:
+    charm: ch:haproxy
+    series: jammy
+    num_units: 1
+    constraints: cores=1 mem=4G root-disk=30G
+    expose: true
+    options:
+      default_mode: tcp
+      enable_monitoring: True
+      services: include-file://config/haproxy.yaml
+      peering_mode: active-active
+  juju-jimm:
+    charm: ch:juju-jimm
+    channel: 1/edge
+    num_units: 1
+    constraints: arch=amd64 cores=1 mem=4G root-disk=30G
+  postgresql:
+    charm: ch:postgresql
+    num_units: 1
+    constraints: cores=2 mem=8G root-disk=50G
+    storage:
+      pgdata: 50G
+  ntp:
+    charm: ch:ntp
+relations:
+  - ["haproxy:reverseproxy", "juju-jimm:website"]
+  - ["juju-jimm", "postgresql"]
+  - ["ntp", "haproxy"]
+  - ["ntp", "juju-jimm"]
+  - ["ntp", "postgresql"]

charms/bundles/jimm/config/haproxy.yaml

@@ -0,0 +1,18 @@
+- service_name: app-jimm
+  service_host: "0.0.0.0"
+  service_port: 443
+  service_options:
+    - mode http
+    - balance leastconn
+    - cookie SRVNAME insert
+    - option httpchk GET /debug/info HTTP/1.0
+    - acl metrics path -i /metrics
+    - http-request deny if metrics
+  server_options: check inter 2000 rise 2 fall 5 maxconn 4096
+  crts: [DEFAULT]
+- service_name: api_http
+  service_host: "0.0.0.0"
+  service_port: 80
+  service_options:
+    - mode http
+    - http-request redirect scheme https

charms/bundles/jimm/local.yaml

@@ -0,0 +1,39 @@
+# Local configuration settings for JIMM.
+# These values will need to be supplied before a JIMM deployment
+# will succeed.
+applications:
+  jimm:
+    options:
+      # charmstore-location contains the address of the charmstore that
+      # provides charms for this JAAS system.
+      charmstore-location: https://api.jujucharms.com/charmstore
+      #
+      # identity-location contains the address of the candid that
+      # provides authentication for this JAAS system.
+      identity-location:
+      #
+      # controller-admin is the name of a candid group the members of
+      # which can administer controllers in this JAAS system.
+      controller-admin:
+      #
+      # controller-uuid contains the UUID reported by the JAAS controller.
+      controller-uuid:
+      #
+      # Secrets:
+      #
+      # agent-username contains the username of the candid agent that
+      # JIMM should use to interrogate user information from candid.
+      # By default this will be loaded from ./LOCAL/agent-username.
+      agent-username: include-file://LOCAL/agent-username
+      #
+      # agent-private-key contains the (base64 encoded) private key
+      # of the candid agent that JIMM should use to interrogate user
+      # information from candid. By default this will be loaded from
+      # ./LOCAL/agent-private-key.
+      agent-private-key: include-file://LOCAL/agent-private-key
+      #
+      # agent-public-key contains the (base64 encoded) private key
+      # of the candid agent that JIMM should use to interrogate user
+      # information from candid. By default this will be loaded from
+      # ./LOCAL/agent-public-key.
+      agent-public-key: include-file://LOCAL/agent-public-key

charms/bundles/jimm/overlay-certbot.yaml

@@ -0,0 +1,10 @@
+# overlay-certbot.yaml
+# Overlay for deploying certbot to manage TLS certificates for candid.
+applications:
+  certbot:
+    charm: ch:certbot
+    options:
+      combined-path: /var/lib/haproxy/default.pem
+      deploy-command: systemctl reload haproxy
+relations:
+  - ["certbot", "haproxy"]

charms/bundles/jimm/overlay-certificate.yaml

@@ -0,0 +1,17 @@
+# overlay-certificate.yaml
+# Overlay for configuring TLS certificates in JIMM.
+applications:
+  haproxy:
+    options:
+      # Only the required options are included here, for the full set
+      # of available options see https://jaas.ai/haproxy.
+      #
+      # ssl_cert contains the certificate chain for JIMM. The file
+      # (./LOCAL/jimm.crt by default) should contain the PEM encoded host
+      # certificate followed by any necessary intermediate certificates.
+      ssl_cert: include-base64://LOCAL/jimm.crt
+      #
+      # ssl_key contains the PEM encoded private key that is signed in
+      # the host certificate provided in ssl_cert. This private key must
+      # be un-encrypted.
+      ssl_key: include-base64://LOCAL/jimm.key

charms/bundles/jimm/overlay-minimal.yaml

@@ -0,0 +1,12 @@
+# minimal.yaml defines a minimal deployment for use in testing or demo
+# deployments.
+applications:
+  haproxy:
+    num_units: 1
+    constraints: cores=1
+  jimm:
+    num_units: 1
+    constraints: arch=amd64 cores=1
+  postgresql:
+    num_units: 1
+    constraints: cores=1

charms/bundles/jimm/overlay-prometheus.yaml

@@ -0,0 +1,19 @@
+applications:
+  prometheus:
+    charm: cs:prometheus2
+    num_units: 1
+    constraints: cpu-cores=2 mem=8G root-disk=50G
+    expose: true
+    options:
+      daemon-args: --storage.tsdb.retention=30d
+  telegraf-haproxy:
+    charm: cs:telegraf
+  telegraf-jimm:
+    charm: cs:telegraf
+relations:
+  - ["ntp", "prometheus"]
+  - ["prometheus:target", "jimm"]
+  - ["prometheus:target", "telegraf-haproxy:prometheus-client"]
+  - ["prometheus:target", "telegraf-jimm:prometheus-client"]
+  - ["telegraf-haproxy:haproxy", "haproxy:statistics"]
+  - ["telegraf-jimm", "jimm"]