I have found no good documentation yet as how to setup a juju client with a lxd remote. Maybe I’m missing something, but lxd with juju is fantastic and especially with a remote lxd.
Here is some feedback on this process, which unfortunately is really tedious and error prone. Made easy, it is an absolute killer!
My comment on this, is that the adding all the components of an remote LXD cloud credentials is very tedious and not very well documented.
The process setting up juju after you have your remote lxd host setup as you like it, before you are able to “juju bootstrap” you need to go through a process like this:
- You must generate (or have it available at ~/snap/lxd/current/.config/lxc ) a client.crt + client.key files which are unique to your client lxc.
(This is not documented on the juju docs at all nor referenced, but unless you have these it will fail except for localhost lxd).
I normally run “lxc remote add …” and abort the process in the middle. This seems to generate a client.crt. I assume you use the snap version of lxc.
- I add the client.crt to the server side lxd trust and verify its good to go.
lxc config trust add client.crt
lxc config trust list
- Retrieve the the server.crt from the remote lxd host and sending it over to the client. The server.crt is located here on the lxd server:
/var/snap/lxd/common/lxd/server.crt
- Now you put all these three files (client.crt, client.key and server.crt) into the “credentials.yaml” of juju, Like…
credentials:
lxdcloud:
erik:
auth-type: certificate
client-cert: |
-----BEGIN CERTIFICATE-----
xxxxxxxxxxx
-----END CERTIFICATE-----
client-key: |
-----BEGIN EC PRIVATE KEY-----
yyyyyyyyyyy
-----END EC PRIVATE KEY-----
server-cert: |
-----BEGIN CERTIFICATE-----
zzzzzzzzzz
-----END CERTIFICATE-----
- Now you can add this cloud to your juju client (call it lxdcloud):
juju add-cloud --client
The “juju-add cloud” process or “juju add-credential” does not support asking for files here during the registration (unless you already have it all in a credentials.yaml file), so I always end up having to manually edit this/a file with this information. This typically generates linting errors incomprehensible errors as a consequence with I mess up and its an aweful experience for non juju gurus.
To be able to supply files (client.crt, client.key and server.crt) would be a huge improvement.
- Now you should be able to bootstrap your new juju cloud
juju bootstrap lxdcloud
- Remove the possibility to use “trust password” with lxd as part of a production grade installation (you can always set a new one if you need it later)
lxc config unset core.trust_password
Having this process documented as part of the juju docs would be great. Perhaps it is.