From 11020608d5536244dd3b6f78ce9d1117a960eddc Mon Sep 17 00:00:00 2001 From: alesstimec Date: Fri, 7 Jul 2023 14:52:44 +0200 Subject: [PATCH] Added JIMM and controller bundles. --- charms/bundles/controller/README.md | 30 +++++++++ charms/bundles/controller/bundle.yaml | 20 ++++++ charms/bundles/controller/config/haproxy.yaml | 16 +++++ .../bundles/controller/overlay-certbot.yaml | 10 +++ .../controller/overlay-certificate.yaml | 18 ++++++ .../bundles/controller/overlay-minimal.yaml | 13 ++++ charms/bundles/jimm/README.md | 63 +++++++++++++++++++ charms/bundles/jimm/bundle.yaml | 31 +++++++++ charms/bundles/jimm/config/haproxy.yaml | 18 ++++++ charms/bundles/jimm/local.yaml | 39 ++++++++++++ charms/bundles/jimm/overlay-certbot.yaml | 10 +++ charms/bundles/jimm/overlay-certificate.yaml | 17 +++++ charms/bundles/jimm/overlay-minimal.yaml | 12 ++++ charms/bundles/jimm/overlay-prometheus.yaml | 19 ++++++ 14 files changed, 316 insertions(+) create mode 100644 charms/bundles/controller/README.md create mode 100644 charms/bundles/controller/bundle.yaml create mode 100644 charms/bundles/controller/config/haproxy.yaml create mode 100644 charms/bundles/controller/overlay-certbot.yaml create mode 100644 charms/bundles/controller/overlay-certificate.yaml create mode 100644 charms/bundles/controller/overlay-minimal.yaml create mode 100644 charms/bundles/jimm/README.md create mode 100644 charms/bundles/jimm/bundle.yaml create mode 100644 charms/bundles/jimm/config/haproxy.yaml create mode 100644 charms/bundles/jimm/local.yaml create mode 100644 charms/bundles/jimm/overlay-certbot.yaml create mode 100644 charms/bundles/jimm/overlay-certificate.yaml create mode 100644 charms/bundles/jimm/overlay-minimal.yaml create mode 100644 charms/bundles/jimm/overlay-prometheus.yaml diff --git a/charms/bundles/controller/README.md b/charms/bundles/controller/README.md new file mode 100644 index 000000000..c12693c97 --- /dev/null +++ b/charms/bundles/controller/README.md @@ -0,0 +1,30 @@ +Controller Bundle +================= + +This bundle deploys a highly-available controller system, suitable for use in JAAS. + +Prerequisits +------------ + +In order to deploy the bundle the following configuration items need to +be prepared: + +### TLS Certificates + +Get appropriate certificates from your CA and store the certificate +chain in `LOCAL/controller.crt`, and the private key in `LOCAL/controller.key`. + +Deployment +---------- + +This bundle needs to be deployed on top of an already existing controller +model. + +To bootstrap an appropriate model run commands like the following: + juju bootstrap --bootstrap-constraints="cores=8 mem=8G root-disk=50G" --config identity-url= --config allow-model-access=true --config public-dns-address=:443 / + juju enable-ha -n 3 + juju switch controller + +To deploy the bundle into the model run: + + juju deploy --map-machines=existing ./bundle.yaml --overlay overlay-certificate.yaml diff --git a/charms/bundles/controller/bundle.yaml b/charms/bundles/controller/bundle.yaml new file mode 100644 index 000000000..8c5ae93a8 --- /dev/null +++ b/charms/bundles/controller/bundle.yaml @@ -0,0 +1,20 @@ +applications: + controller: + charm: ch:juju-controller + haproxy: + charm: ch:haproxy + num_units: 1 + constraints: cores=1 mem=4G root-disk=30G + expose: true + series: focal + options: + default_mode: tcp + enable_monitoring: True + services: include-file://config/haproxy.yaml + peering_mode: active-active + ntp: + charm: ch:ntp +relations: + - ["ntp", "haproxy"] + - ["ntp", "controller"] + - ["controller", "haproxy"] diff --git a/charms/bundles/controller/config/haproxy.yaml b/charms/bundles/controller/config/haproxy.yaml new file mode 100644 index 000000000..8c8f9b192 --- /dev/null +++ b/charms/bundles/controller/config/haproxy.yaml @@ -0,0 +1,16 @@ +- service_name: app-controller + service_host: "0.0.0.0" + service_port: 443 + service_options: + - mode http + - balance leastconn + - option httpchk GET / HTTP/1.1\r\nHost:\ juju-apiserver\r\nConnection:\ Upgrade\r\nUpgrade:\ websocket\r\nSec-WebSocket-Key:\ aGFwcm94eQ==\r\nSec-WebSocket-Version:\ 13\r\nSec-WebSocket-Protocol:\ echo-protocol + - http-check expect status 101 + server_options: ssl verify none check + crts: [DEFAULT] +- service_name: api_http + service_host: "0.0.0.0" + service_port: 80 + service_options: + - mode http + - http-request redirect scheme https diff --git a/charms/bundles/controller/overlay-certbot.yaml b/charms/bundles/controller/overlay-certbot.yaml new file mode 100644 index 000000000..ab3c3eca3 --- /dev/null +++ b/charms/bundles/controller/overlay-certbot.yaml @@ -0,0 +1,10 @@ +# overlay-certbot.yaml +# Overlay for deploying certbot to manage TLS certificates for a controller. +applications: + certbot: + charm: ch:certbot + options: + combined-path: /var/lib/haproxy/default.pem + deploy-command: systemctl reload haproxy +relations: + - ["certbot", "haproxy"] diff --git a/charms/bundles/controller/overlay-certificate.yaml b/charms/bundles/controller/overlay-certificate.yaml new file mode 100644 index 000000000..40e11c49f --- /dev/null +++ b/charms/bundles/controller/overlay-certificate.yaml @@ -0,0 +1,18 @@ +# overlay-certificate.yaml +# Overlay for configuring TLS certificates on the controller. +applications: + haproxy: + options: + # Only the required options are included here, for the full set + # of available options see https://jaas.ai/haproxy. + # + # ssl_cert contains the certificate chain for the controller's + # DNS name. The file (./LOCAL/controller.crt by default) should + # contain the PEM encoded host certificate followed by any necessary + # intermediate certificates. + ssl_cert: include-base64://LOCAL/controller.crt + # + # ssl_key contains the PEM encoded private key that is signed in + # the host certificate provided in ssl_cert. This private key must + # be un-encrypted. + ssl_key: include-base64://LOCAL/controller.key diff --git a/charms/bundles/controller/overlay-minimal.yaml b/charms/bundles/controller/overlay-minimal.yaml new file mode 100644 index 000000000..5427c627f --- /dev/null +++ b/charms/bundles/controller/overlay-minimal.yaml @@ -0,0 +1,13 @@ +# overlay-minimal.yaml +# Overlay which defines a minimal deployment for use in testing or demo +# deployments. +applications: + controller: + num_units: 1 + to: + - "0" + haproxy: + num_units: 1 + constraints: cores=1 +machines: + "0": diff --git a/charms/bundles/jimm/README.md b/charms/bundles/jimm/README.md new file mode 100644 index 000000000..eacda00d5 --- /dev/null +++ b/charms/bundles/jimm/README.md @@ -0,0 +1,63 @@ +JIMM Bundle +=========== + +This bundle deploys a highly-available JIMM system. + +Prerequisits +------------ + +In order to deploy the bundle a number of configuration items need to +be prepared: + +### Identity-Location + +JIMM needs to know the location of the candid service that will provide +the identity service. Configure the `identity-location` parameter in +`local.yaml` to configure this. + +### Controller-Admin + +In order to add models to the controller users need to be in the +controller admin group. An appropriate group needs to be identified, +or created, in the customers identity provider and configured as the +`controller-admin` parameter in `local.yaml`. If this is not present +then no controllers can be added to the JAAS system. + +### Controller UUID + +The UUID of the JAAS controller needs to be configured. A suitable UUID +can be created using `uuidgen`. + +### `LOCAL/agent-username`, `LOCAL/agent-private-key` & `LOCAL/agent-public-key` + +An agent user needs to be created in candid for JIMM to use to query +user information. To create such an agent admin access to the candid +service is required, most commonly this would be through the candid CLI +using the admin agent created when deploying the candid service. A new +agent is created using a command like: + + CANDID_URL=https://candid.example.com candid -a admin.agent create-agent grouplist@candid + +This will display a json file containing the username along with both +the public and private keys. Copy these values into the respective files +in LOCAL. + +### TLS Certificates + +Get appropriate certificates from your CA and store the certificate +chain in `LOCAL/jimm.crt`, and the private key in `LOCAL/jimm.key`. + +Deployment +---------- + +The bundle has some deployment options. To deploy just the base bundle, +with all required secrets, run: + + juju deploy ./bundle.yaml --overlay local.yaml + +If prometheus monitoring is also required in the model then run: + + juju deploy ./bundle.yaml --overlay local.yaml --overlay overlay-prometheus.yaml + +Note that this command can be run on a previously deployed base system to +"upgrade" it to provide prometheus. diff --git a/charms/bundles/jimm/bundle.yaml b/charms/bundles/jimm/bundle.yaml new file mode 100644 index 000000000..1661b4193 --- /dev/null +++ b/charms/bundles/jimm/bundle.yaml @@ -0,0 +1,31 @@ +applications: + haproxy: + charm: ch:haproxy + series: jammy + num_units: 1 + constraints: cores=1 mem=4G root-disk=30G + expose: true + options: + default_mode: tcp + enable_monitoring: True + services: include-file://config/haproxy.yaml + peering_mode: active-active + juju-jimm: + charm: ch:juju-jimm + channel: 1/edge + num_units: 1 + constraints: arch=amd64 cores=1 mem=4G root-disk=30G + postgresql: + charm: ch:postgresql + num_units: 1 + constraints: cores=2 mem=8G root-disk=50G + storage: + pgdata: 50G + ntp: + charm: ch:ntp +relations: + - ["haproxy:reverseproxy", "juju-jimm:website"] + - ["juju-jimm", "postgresql"] + - ["ntp", "haproxy"] + - ["ntp", "juju-jimm"] + - ["ntp", "postgresql"] diff --git a/charms/bundles/jimm/config/haproxy.yaml b/charms/bundles/jimm/config/haproxy.yaml new file mode 100644 index 000000000..76758f323 --- /dev/null +++ b/charms/bundles/jimm/config/haproxy.yaml @@ -0,0 +1,18 @@ +- service_name: app-jimm + service_host: "0.0.0.0" + service_port: 443 + service_options: + - mode http + - balance leastconn + - cookie SRVNAME insert + - option httpchk GET /debug/info HTTP/1.0 + - acl metrics path -i /metrics + - http-request deny if metrics + server_options: check inter 2000 rise 2 fall 5 maxconn 4096 + crts: [DEFAULT] +- service_name: api_http + service_host: "0.0.0.0" + service_port: 80 + service_options: + - mode http + - http-request redirect scheme https diff --git a/charms/bundles/jimm/local.yaml b/charms/bundles/jimm/local.yaml new file mode 100644 index 000000000..f17ba739c --- /dev/null +++ b/charms/bundles/jimm/local.yaml @@ -0,0 +1,39 @@ +# Local configuration settings for JIMM. +# These values will need to be supplied before a JIMM deployment +# will succeed. +applications: + jimm: + options: + # charmstore-location contains the address of the charmstore that + # provides charms for this JAAS system. + charmstore-location: https://api.jujucharms.com/charmstore + # + # identity-location contains the address of the candid that + # provides authentication for this JAAS system. + identity-location: + # + # controller-admin is the name of a candid group the members of + # which can administer controllers in this JAAS system. + controller-admin: + # + # controller-uuid contains the UUID reported by the JAAS controller. + controller-uuid: + # + # Secrets: + # + # agent-username contains the username of the candid agent that + # JIMM should use to interrogate user information from candid. + # By default this will be loaded from ./LOCAL/agent-username. + agent-username: include-file://LOCAL/agent-username + # + # agent-private-key contains the (base64 encoded) private key + # of the candid agent that JIMM should use to interrogate user + # information from candid. By default this will be loaded from + # ./LOCAL/agent-private-key. + agent-private-key: include-file://LOCAL/agent-private-key + # + # agent-public-key contains the (base64 encoded) private key + # of the candid agent that JIMM should use to interrogate user + # information from candid. By default this will be loaded from + # ./LOCAL/agent-public-key. + agent-public-key: include-file://LOCAL/agent-public-key diff --git a/charms/bundles/jimm/overlay-certbot.yaml b/charms/bundles/jimm/overlay-certbot.yaml new file mode 100644 index 000000000..ebf1c8add --- /dev/null +++ b/charms/bundles/jimm/overlay-certbot.yaml @@ -0,0 +1,10 @@ +# overlay-certbot.yaml +# Overlay for deploying certbot to manage TLS certificates for candid. +applications: + certbot: + charm: ch:certbot + options: + combined-path: /var/lib/haproxy/default.pem + deploy-command: systemctl reload haproxy +relations: + - ["certbot", "haproxy"] diff --git a/charms/bundles/jimm/overlay-certificate.yaml b/charms/bundles/jimm/overlay-certificate.yaml new file mode 100644 index 000000000..775b0b0f7 --- /dev/null +++ b/charms/bundles/jimm/overlay-certificate.yaml @@ -0,0 +1,17 @@ +# overlay-certificate.yaml +# Overlay for configuring TLS certificates in JIMM. +applications: + haproxy: + options: + # Only the required options are included here, for the full set + # of available options see https://jaas.ai/haproxy. + # + # ssl_cert contains the certificate chain for JIMM. The file + # (./LOCAL/jimm.crt by default) should contain the PEM encoded host + # certificate followed by any necessary intermediate certificates. + ssl_cert: include-base64://LOCAL/jimm.crt + # + # ssl_key contains the PEM encoded private key that is signed in + # the host certificate provided in ssl_cert. This private key must + # be un-encrypted. + ssl_key: include-base64://LOCAL/jimm.key diff --git a/charms/bundles/jimm/overlay-minimal.yaml b/charms/bundles/jimm/overlay-minimal.yaml new file mode 100644 index 000000000..f17de9131 --- /dev/null +++ b/charms/bundles/jimm/overlay-minimal.yaml @@ -0,0 +1,12 @@ +# minimal.yaml defines a minimal deployment for use in testing or demo +# deployments. +applications: + haproxy: + num_units: 1 + constraints: cores=1 + jimm: + num_units: 1 + constraints: arch=amd64 cores=1 + postgresql: + num_units: 1 + constraints: cores=1 diff --git a/charms/bundles/jimm/overlay-prometheus.yaml b/charms/bundles/jimm/overlay-prometheus.yaml new file mode 100644 index 000000000..8cfe647bf --- /dev/null +++ b/charms/bundles/jimm/overlay-prometheus.yaml @@ -0,0 +1,19 @@ +applications: + prometheus: + charm: cs:prometheus2 + num_units: 1 + constraints: cpu-cores=2 mem=8G root-disk=50G + expose: true + options: + daemon-args: --storage.tsdb.retention=30d + telegraf-haproxy: + charm: cs:telegraf + telegraf-jimm: + charm: cs:telegraf +relations: + - ["ntp", "prometheus"] + - ["prometheus:target", "jimm"] + - ["prometheus:target", "telegraf-haproxy:prometheus-client"] + - ["prometheus:target", "telegraf-jimm:prometheus-client"] + - ["telegraf-haproxy:haproxy", "haproxy:statistics"] + - ["telegraf-jimm", "jimm"]