Skip to content

Commit

Permalink
Merge branch 'main' into charm-jimm-snap-install-fix-01
Browse files Browse the repository at this point in the history
  • Loading branch information
alesstimec authored Jul 12, 2023
2 parents a1cf7df + 2aad6ee commit e754c43
Show file tree
Hide file tree
Showing 14 changed files with 316 additions and 0 deletions.
30 changes: 30 additions & 0 deletions charms/bundles/controller/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
Controller Bundle
=================

This bundle deploys a highly-available controller system, suitable for use in JAAS.

Prerequisits
------------

In order to deploy the bundle the following configuration items need to
be prepared:

### TLS Certificates

Get appropriate certificates from your CA and store the certificate
chain in `LOCAL/controller.crt`, and the private key in `LOCAL/controller.key`.

Deployment
----------

This bundle needs to be deployed on top of an already existing controller
model.

To bootstrap an appropriate model run commands like the following:
juju bootstrap --bootstrap-constraints="cores=8 mem=8G root-disk=50G" --config identity-url=<candid URL> --config allow-model-access=true --config public-dns-address=<DNS of the controller>:443 <cloud>/<region> <name>
juju enable-ha -n 3
juju switch controller

To deploy the bundle into the model run:

juju deploy --map-machines=existing ./bundle.yaml --overlay overlay-certificate.yaml
20 changes: 20 additions & 0 deletions charms/bundles/controller/bundle.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
applications:
controller:
charm: ch:juju-controller
haproxy:
charm: ch:haproxy
num_units: 1
constraints: cores=1 mem=4G root-disk=30G
expose: true
series: focal
options:
default_mode: tcp
enable_monitoring: True
services: include-file://config/haproxy.yaml
peering_mode: active-active
ntp:
charm: ch:ntp
relations:
- ["ntp", "haproxy"]
- ["ntp", "controller"]
- ["controller", "haproxy"]
16 changes: 16 additions & 0 deletions charms/bundles/controller/config/haproxy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
- service_name: app-controller
service_host: "0.0.0.0"
service_port: 443
service_options:
- mode http
- balance leastconn
- option httpchk GET / HTTP/1.1\r\nHost:\ juju-apiserver\r\nConnection:\ Upgrade\r\nUpgrade:\ websocket\r\nSec-WebSocket-Key:\ aGFwcm94eQ==\r\nSec-WebSocket-Version:\ 13\r\nSec-WebSocket-Protocol:\ echo-protocol
- http-check expect status 101
server_options: ssl verify none check
crts: [DEFAULT]
- service_name: api_http
service_host: "0.0.0.0"
service_port: 80
service_options:
- mode http
- http-request redirect scheme https
10 changes: 10 additions & 0 deletions charms/bundles/controller/overlay-certbot.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# overlay-certbot.yaml
# Overlay for deploying certbot to manage TLS certificates for a controller.
applications:
certbot:
charm: ch:certbot
options:
combined-path: /var/lib/haproxy/default.pem
deploy-command: systemctl reload haproxy
relations:
- ["certbot", "haproxy"]
18 changes: 18 additions & 0 deletions charms/bundles/controller/overlay-certificate.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# overlay-certificate.yaml
# Overlay for configuring TLS certificates on the controller.
applications:
haproxy:
options:
# Only the required options are included here, for the full set
# of available options see https://jaas.ai/haproxy.
#
# ssl_cert contains the certificate chain for the controller's
# DNS name. The file (./LOCAL/controller.crt by default) should
# contain the PEM encoded host certificate followed by any necessary
# intermediate certificates.
ssl_cert: include-base64://LOCAL/controller.crt
#
# ssl_key contains the PEM encoded private key that is signed in
# the host certificate provided in ssl_cert. This private key must
# be un-encrypted.
ssl_key: include-base64://LOCAL/controller.key
13 changes: 13 additions & 0 deletions charms/bundles/controller/overlay-minimal.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# overlay-minimal.yaml
# Overlay which defines a minimal deployment for use in testing or demo
# deployments.
applications:
controller:
num_units: 1
to:
- "0"
haproxy:
num_units: 1
constraints: cores=1
machines:
"0":
63 changes: 63 additions & 0 deletions charms/bundles/jimm/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
JIMM Bundle
===========

This bundle deploys a highly-available JIMM system.

Prerequisits
------------

In order to deploy the bundle a number of configuration items need to
be prepared:

### Identity-Location

JIMM needs to know the location of the candid service that will provide
the identity service. Configure the `identity-location` parameter in
`local.yaml` to configure this.

### Controller-Admin

In order to add models to the controller users need to be in the
controller admin group. An appropriate group needs to be identified,
or created, in the customers identity provider and configured as the
`controller-admin` parameter in `local.yaml`. If this is not present
then no controllers can be added to the JAAS system.

### Controller UUID

The UUID of the JAAS controller needs to be configured. A suitable UUID
can be created using `uuidgen`.

### `LOCAL/agent-username`, `LOCAL/agent-private-key` & `LOCAL/agent-public-key`

An agent user needs to be created in candid for JIMM to use to query
user information. To create such an agent admin access to the candid
service is required, most commonly this would be through the candid CLI
using the admin agent created when deploying the candid service. A new
agent is created using a command like:

CANDID_URL=https://candid.example.com candid -a admin.agent create-agent grouplist@candid

This will display a json file containing the username along with both
the public and private keys. Copy these values into the respective files
in LOCAL.

### TLS Certificates

Get appropriate certificates from your CA and store the certificate
chain in `LOCAL/jimm.crt`, and the private key in `LOCAL/jimm.key`.

Deployment
----------

The bundle has some deployment options. To deploy just the base bundle,
with all required secrets, run:

juju deploy ./bundle.yaml --overlay local.yaml

If prometheus monitoring is also required in the model then run:

juju deploy ./bundle.yaml --overlay local.yaml --overlay overlay-prometheus.yaml

Note that this command can be run on a previously deployed base system to
"upgrade" it to provide prometheus.
31 changes: 31 additions & 0 deletions charms/bundles/jimm/bundle.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
applications:
haproxy:
charm: ch:haproxy
series: jammy
num_units: 1
constraints: cores=1 mem=4G root-disk=30G
expose: true
options:
default_mode: tcp
enable_monitoring: True
services: include-file://config/haproxy.yaml
peering_mode: active-active
juju-jimm:
charm: ch:juju-jimm
channel: 1/edge
num_units: 1
constraints: arch=amd64 cores=1 mem=4G root-disk=30G
postgresql:
charm: ch:postgresql
num_units: 1
constraints: cores=2 mem=8G root-disk=50G
storage:
pgdata: 50G
ntp:
charm: ch:ntp
relations:
- ["haproxy:reverseproxy", "juju-jimm:website"]
- ["juju-jimm", "postgresql"]
- ["ntp", "haproxy"]
- ["ntp", "juju-jimm"]
- ["ntp", "postgresql"]
18 changes: 18 additions & 0 deletions charms/bundles/jimm/config/haproxy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
- service_name: app-jimm
service_host: "0.0.0.0"
service_port: 443
service_options:
- mode http
- balance leastconn
- cookie SRVNAME insert
- option httpchk GET /debug/info HTTP/1.0
- acl metrics path -i /metrics
- http-request deny if metrics
server_options: check inter 2000 rise 2 fall 5 maxconn 4096
crts: [DEFAULT]
- service_name: api_http
service_host: "0.0.0.0"
service_port: 80
service_options:
- mode http
- http-request redirect scheme https
39 changes: 39 additions & 0 deletions charms/bundles/jimm/local.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Local configuration settings for JIMM.
# These values will need to be supplied before a JIMM deployment
# will succeed.
applications:
jimm:
options:
# charmstore-location contains the address of the charmstore that
# provides charms for this JAAS system.
charmstore-location: https://api.jujucharms.com/charmstore
#
# identity-location contains the address of the candid that
# provides authentication for this JAAS system.
identity-location:
#
# controller-admin is the name of a candid group the members of
# which can administer controllers in this JAAS system.
controller-admin:
#
# controller-uuid contains the UUID reported by the JAAS controller.
controller-uuid:
#
# Secrets:
#
# agent-username contains the username of the candid agent that
# JIMM should use to interrogate user information from candid.
# By default this will be loaded from ./LOCAL/agent-username.
agent-username: include-file://LOCAL/agent-username
#
# agent-private-key contains the (base64 encoded) private key
# of the candid agent that JIMM should use to interrogate user
# information from candid. By default this will be loaded from
# ./LOCAL/agent-private-key.
agent-private-key: include-file://LOCAL/agent-private-key
#
# agent-public-key contains the (base64 encoded) private key
# of the candid agent that JIMM should use to interrogate user
# information from candid. By default this will be loaded from
# ./LOCAL/agent-public-key.
agent-public-key: include-file://LOCAL/agent-public-key
10 changes: 10 additions & 0 deletions charms/bundles/jimm/overlay-certbot.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# overlay-certbot.yaml
# Overlay for deploying certbot to manage TLS certificates for candid.
applications:
certbot:
charm: ch:certbot
options:
combined-path: /var/lib/haproxy/default.pem
deploy-command: systemctl reload haproxy
relations:
- ["certbot", "haproxy"]
17 changes: 17 additions & 0 deletions charms/bundles/jimm/overlay-certificate.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# overlay-certificate.yaml
# Overlay for configuring TLS certificates in JIMM.
applications:
haproxy:
options:
# Only the required options are included here, for the full set
# of available options see https://jaas.ai/haproxy.
#
# ssl_cert contains the certificate chain for JIMM. The file
# (./LOCAL/jimm.crt by default) should contain the PEM encoded host
# certificate followed by any necessary intermediate certificates.
ssl_cert: include-base64://LOCAL/jimm.crt
#
# ssl_key contains the PEM encoded private key that is signed in
# the host certificate provided in ssl_cert. This private key must
# be un-encrypted.
ssl_key: include-base64://LOCAL/jimm.key
12 changes: 12 additions & 0 deletions charms/bundles/jimm/overlay-minimal.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# minimal.yaml defines a minimal deployment for use in testing or demo
# deployments.
applications:
haproxy:
num_units: 1
constraints: cores=1
jimm:
num_units: 1
constraints: arch=amd64 cores=1
postgresql:
num_units: 1
constraints: cores=1
19 changes: 19 additions & 0 deletions charms/bundles/jimm/overlay-prometheus.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
applications:
prometheus:
charm: cs:prometheus2
num_units: 1
constraints: cpu-cores=2 mem=8G root-disk=50G
expose: true
options:
daemon-args: --storage.tsdb.retention=30d
telegraf-haproxy:
charm: cs:telegraf
telegraf-jimm:
charm: cs:telegraf
relations:
- ["ntp", "prometheus"]
- ["prometheus:target", "jimm"]
- ["prometheus:target", "telegraf-haproxy:prometheus-client"]
- ["prometheus:target", "telegraf-jimm:prometheus-client"]
- ["telegraf-haproxy:haproxy", "haproxy:statistics"]
- ["telegraf-jimm", "jimm"]

0 comments on commit e754c43

Please sign in to comment.