Possibly a bit more on my use case, and how I’m going about it
Goal:
- Deploy HA public facing juju controllers using my own key/cert/ca.
Steps to accomplish goal:
-
Deploy HA Juju controllers that use my own key/cert by providing
juju bootstrapwith the correct config values.
a) Identify config values that matter for this use case can be found here.
-ca-cert
-autocert-dns-name
-autocert-url
b) Formulate bootstrap command with correct values.juju bootstrap aws/us-west-2 -n 3 --config ca-cert="$(cat my-ca.pem)" \ --config autocert-dns-name="juju-controller-fqdn.example.com" \ --config autocert-url="https://public-s3-bucket.com/cert"
Considering the bootstrap command and my use case, I guess I’m a little unsure of a few things still:
-
Should the
autocert-dns-namefqdn point to a load balancer that sits in front of the juju controllers, or should the FQDN assigned toautocert-dns-namecontain values for all three controller public ip addresses? -
What are the actual requirements of
autocert-url? I’m guessing this is probably a bit ssl/dns knowledge that I’m just unfamiliar with that is external to juju? Possibly if I knew more about thisautocert-urlthe rest would make more sense?
Looking at the default config forautocert-urlleads me to believe I need to create a platform similar to lets-encrypt if I want to use this for my own ssl infrastructure.
Possibly its good enough to just provide a public key in a directory on s3? I need to do some more research around this.