-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into charm-jimm-snap-install-fix-01
- Loading branch information
Showing
14 changed files
with
316 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
Controller Bundle | ||
================= | ||
|
||
This bundle deploys a highly-available controller system, suitable for use in JAAS. | ||
|
||
Prerequisits | ||
------------ | ||
|
||
In order to deploy the bundle the following configuration items need to | ||
be prepared: | ||
|
||
### TLS Certificates | ||
|
||
Get appropriate certificates from your CA and store the certificate | ||
chain in `LOCAL/controller.crt`, and the private key in `LOCAL/controller.key`. | ||
|
||
Deployment | ||
---------- | ||
|
||
This bundle needs to be deployed on top of an already existing controller | ||
model. | ||
|
||
To bootstrap an appropriate model run commands like the following: | ||
juju bootstrap --bootstrap-constraints="cores=8 mem=8G root-disk=50G" --config identity-url=<candid URL> --config allow-model-access=true --config public-dns-address=<DNS of the controller>:443 <cloud>/<region> <name> | ||
juju enable-ha -n 3 | ||
juju switch controller | ||
|
||
To deploy the bundle into the model run: | ||
|
||
juju deploy --map-machines=existing ./bundle.yaml --overlay overlay-certificate.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
applications: | ||
controller: | ||
charm: ch:juju-controller | ||
haproxy: | ||
charm: ch:haproxy | ||
num_units: 1 | ||
constraints: cores=1 mem=4G root-disk=30G | ||
expose: true | ||
series: focal | ||
options: | ||
default_mode: tcp | ||
enable_monitoring: True | ||
services: include-file://config/haproxy.yaml | ||
peering_mode: active-active | ||
ntp: | ||
charm: ch:ntp | ||
relations: | ||
- ["ntp", "haproxy"] | ||
- ["ntp", "controller"] | ||
- ["controller", "haproxy"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
- service_name: app-controller | ||
service_host: "0.0.0.0" | ||
service_port: 443 | ||
service_options: | ||
- mode http | ||
- balance leastconn | ||
- option httpchk GET / HTTP/1.1\r\nHost:\ juju-apiserver\r\nConnection:\ Upgrade\r\nUpgrade:\ websocket\r\nSec-WebSocket-Key:\ aGFwcm94eQ==\r\nSec-WebSocket-Version:\ 13\r\nSec-WebSocket-Protocol:\ echo-protocol | ||
- http-check expect status 101 | ||
server_options: ssl verify none check | ||
crts: [DEFAULT] | ||
- service_name: api_http | ||
service_host: "0.0.0.0" | ||
service_port: 80 | ||
service_options: | ||
- mode http | ||
- http-request redirect scheme https |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# overlay-certbot.yaml | ||
# Overlay for deploying certbot to manage TLS certificates for a controller. | ||
applications: | ||
certbot: | ||
charm: ch:certbot | ||
options: | ||
combined-path: /var/lib/haproxy/default.pem | ||
deploy-command: systemctl reload haproxy | ||
relations: | ||
- ["certbot", "haproxy"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# overlay-certificate.yaml | ||
# Overlay for configuring TLS certificates on the controller. | ||
applications: | ||
haproxy: | ||
options: | ||
# Only the required options are included here, for the full set | ||
# of available options see https://jaas.ai/haproxy. | ||
# | ||
# ssl_cert contains the certificate chain for the controller's | ||
# DNS name. The file (./LOCAL/controller.crt by default) should | ||
# contain the PEM encoded host certificate followed by any necessary | ||
# intermediate certificates. | ||
ssl_cert: include-base64://LOCAL/controller.crt | ||
# | ||
# ssl_key contains the PEM encoded private key that is signed in | ||
# the host certificate provided in ssl_cert. This private key must | ||
# be un-encrypted. | ||
ssl_key: include-base64://LOCAL/controller.key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# overlay-minimal.yaml | ||
# Overlay which defines a minimal deployment for use in testing or demo | ||
# deployments. | ||
applications: | ||
controller: | ||
num_units: 1 | ||
to: | ||
- "0" | ||
haproxy: | ||
num_units: 1 | ||
constraints: cores=1 | ||
machines: | ||
"0": |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
JIMM Bundle | ||
=========== | ||
|
||
This bundle deploys a highly-available JIMM system. | ||
|
||
Prerequisits | ||
------------ | ||
|
||
In order to deploy the bundle a number of configuration items need to | ||
be prepared: | ||
|
||
### Identity-Location | ||
|
||
JIMM needs to know the location of the candid service that will provide | ||
the identity service. Configure the `identity-location` parameter in | ||
`local.yaml` to configure this. | ||
|
||
### Controller-Admin | ||
|
||
In order to add models to the controller users need to be in the | ||
controller admin group. An appropriate group needs to be identified, | ||
or created, in the customers identity provider and configured as the | ||
`controller-admin` parameter in `local.yaml`. If this is not present | ||
then no controllers can be added to the JAAS system. | ||
|
||
### Controller UUID | ||
|
||
The UUID of the JAAS controller needs to be configured. A suitable UUID | ||
can be created using `uuidgen`. | ||
|
||
### `LOCAL/agent-username`, `LOCAL/agent-private-key` & `LOCAL/agent-public-key` | ||
|
||
An agent user needs to be created in candid for JIMM to use to query | ||
user information. To create such an agent admin access to the candid | ||
service is required, most commonly this would be through the candid CLI | ||
using the admin agent created when deploying the candid service. A new | ||
agent is created using a command like: | ||
|
||
CANDID_URL=https://candid.example.com candid -a admin.agent create-agent grouplist@candid | ||
|
||
This will display a json file containing the username along with both | ||
the public and private keys. Copy these values into the respective files | ||
in LOCAL. | ||
|
||
### TLS Certificates | ||
|
||
Get appropriate certificates from your CA and store the certificate | ||
chain in `LOCAL/jimm.crt`, and the private key in `LOCAL/jimm.key`. | ||
|
||
Deployment | ||
---------- | ||
|
||
The bundle has some deployment options. To deploy just the base bundle, | ||
with all required secrets, run: | ||
|
||
juju deploy ./bundle.yaml --overlay local.yaml | ||
|
||
If prometheus monitoring is also required in the model then run: | ||
|
||
juju deploy ./bundle.yaml --overlay local.yaml --overlay overlay-prometheus.yaml | ||
|
||
Note that this command can be run on a previously deployed base system to | ||
"upgrade" it to provide prometheus. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
applications: | ||
haproxy: | ||
charm: ch:haproxy | ||
series: jammy | ||
num_units: 1 | ||
constraints: cores=1 mem=4G root-disk=30G | ||
expose: true | ||
options: | ||
default_mode: tcp | ||
enable_monitoring: True | ||
services: include-file://config/haproxy.yaml | ||
peering_mode: active-active | ||
juju-jimm: | ||
charm: ch:juju-jimm | ||
channel: 1/edge | ||
num_units: 1 | ||
constraints: arch=amd64 cores=1 mem=4G root-disk=30G | ||
postgresql: | ||
charm: ch:postgresql | ||
num_units: 1 | ||
constraints: cores=2 mem=8G root-disk=50G | ||
storage: | ||
pgdata: 50G | ||
ntp: | ||
charm: ch:ntp | ||
relations: | ||
- ["haproxy:reverseproxy", "juju-jimm:website"] | ||
- ["juju-jimm", "postgresql"] | ||
- ["ntp", "haproxy"] | ||
- ["ntp", "juju-jimm"] | ||
- ["ntp", "postgresql"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
- service_name: app-jimm | ||
service_host: "0.0.0.0" | ||
service_port: 443 | ||
service_options: | ||
- mode http | ||
- balance leastconn | ||
- cookie SRVNAME insert | ||
- option httpchk GET /debug/info HTTP/1.0 | ||
- acl metrics path -i /metrics | ||
- http-request deny if metrics | ||
server_options: check inter 2000 rise 2 fall 5 maxconn 4096 | ||
crts: [DEFAULT] | ||
- service_name: api_http | ||
service_host: "0.0.0.0" | ||
service_port: 80 | ||
service_options: | ||
- mode http | ||
- http-request redirect scheme https |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# Local configuration settings for JIMM. | ||
# These values will need to be supplied before a JIMM deployment | ||
# will succeed. | ||
applications: | ||
jimm: | ||
options: | ||
# charmstore-location contains the address of the charmstore that | ||
# provides charms for this JAAS system. | ||
charmstore-location: https://api.jujucharms.com/charmstore | ||
# | ||
# identity-location contains the address of the candid that | ||
# provides authentication for this JAAS system. | ||
identity-location: | ||
# | ||
# controller-admin is the name of a candid group the members of | ||
# which can administer controllers in this JAAS system. | ||
controller-admin: | ||
# | ||
# controller-uuid contains the UUID reported by the JAAS controller. | ||
controller-uuid: | ||
# | ||
# Secrets: | ||
# | ||
# agent-username contains the username of the candid agent that | ||
# JIMM should use to interrogate user information from candid. | ||
# By default this will be loaded from ./LOCAL/agent-username. | ||
agent-username: include-file://LOCAL/agent-username | ||
# | ||
# agent-private-key contains the (base64 encoded) private key | ||
# of the candid agent that JIMM should use to interrogate user | ||
# information from candid. By default this will be loaded from | ||
# ./LOCAL/agent-private-key. | ||
agent-private-key: include-file://LOCAL/agent-private-key | ||
# | ||
# agent-public-key contains the (base64 encoded) private key | ||
# of the candid agent that JIMM should use to interrogate user | ||
# information from candid. By default this will be loaded from | ||
# ./LOCAL/agent-public-key. | ||
agent-public-key: include-file://LOCAL/agent-public-key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# overlay-certbot.yaml | ||
# Overlay for deploying certbot to manage TLS certificates for candid. | ||
applications: | ||
certbot: | ||
charm: ch:certbot | ||
options: | ||
combined-path: /var/lib/haproxy/default.pem | ||
deploy-command: systemctl reload haproxy | ||
relations: | ||
- ["certbot", "haproxy"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# overlay-certificate.yaml | ||
# Overlay for configuring TLS certificates in JIMM. | ||
applications: | ||
haproxy: | ||
options: | ||
# Only the required options are included here, for the full set | ||
# of available options see https://jaas.ai/haproxy. | ||
# | ||
# ssl_cert contains the certificate chain for JIMM. The file | ||
# (./LOCAL/jimm.crt by default) should contain the PEM encoded host | ||
# certificate followed by any necessary intermediate certificates. | ||
ssl_cert: include-base64://LOCAL/jimm.crt | ||
# | ||
# ssl_key contains the PEM encoded private key that is signed in | ||
# the host certificate provided in ssl_cert. This private key must | ||
# be un-encrypted. | ||
ssl_key: include-base64://LOCAL/jimm.key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# minimal.yaml defines a minimal deployment for use in testing or demo | ||
# deployments. | ||
applications: | ||
haproxy: | ||
num_units: 1 | ||
constraints: cores=1 | ||
jimm: | ||
num_units: 1 | ||
constraints: arch=amd64 cores=1 | ||
postgresql: | ||
num_units: 1 | ||
constraints: cores=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
applications: | ||
prometheus: | ||
charm: cs:prometheus2 | ||
num_units: 1 | ||
constraints: cpu-cores=2 mem=8G root-disk=50G | ||
expose: true | ||
options: | ||
daemon-args: --storage.tsdb.retention=30d | ||
telegraf-haproxy: | ||
charm: cs:telegraf | ||
telegraf-jimm: | ||
charm: cs:telegraf | ||
relations: | ||
- ["ntp", "prometheus"] | ||
- ["prometheus:target", "jimm"] | ||
- ["prometheus:target", "telegraf-haproxy:prometheus-client"] | ||
- ["prometheus:target", "telegraf-jimm:prometheus-client"] | ||
- ["telegraf-haproxy:haproxy", "haproxy:statistics"] | ||
- ["telegraf-jimm", "jimm"] |