Thanx for the pointer @jameinel.
What I’ll try first is to deploy the juju-controller (which I know works with both 2.9 and 2.0 controllers from this discussion) which have support for the http interface.
I might need to juju config controller-url='my-controller.example.com' in the juju-controller charm to match the domain name for the cert. Not sure, but it seems likely. @wallyworld might know. There isn’t really much documentation about it yet.
With that I can first deploy Charmhub | Deploy HAProxy using Charmhub - The Open Operator Collection and then relate it to juju-controller:
juju relate haproxy juju-controller
Finally, I can deploy and relate a certbot/acme subordinate to haproxy. (We have rolled our own for this purpose, but there might be other public ones.)
Note: There is a certbot subordinate charm written by Martin Hilton that might be useful… I guess this part is where things get messy since this may be very different for many users. I think that perhaps a “basic way to add a certificate for haproxy/tls” like this would need to use the haproxy built in capability to “import” certificates via “juju config ssl_cert” and “juju config ssl_key” to demonstrate the concept and then refer to some existing certbot/acme charms for specific needs/setups.
I’ll see if I can get this through…
Definitely there should be some “best practice” published on this topic.