Since Juju 2.9, operators can control the expose parameters (CIDRs and/or spaces that are allowed access to the port ranges opened by exposed applications) for the entire application and/or on a per-endpoint basis.
Application expose parameters can also be specified in bundles. However, as expose parameters are deployment-specific, they can only be provided as part of an overlay. Consider the following multi-document bundle:
applications: mysql: charm: "cs:mysql-57" num_units: 1 --- # overlay applications: mysql: exposed-endpoints: "": expose-to-cidrs: - 0.0.0.0/0 - ::/0 db-admin: expose-to-spaces: - dmz expose-to-cidrs: - 192.168.0.0/24
This is equivalent to the following commands:
juju deploy cs:mysql-57 juju expose mysql --to-cidrs 0.0.0.0/0,::/0 juju expose mysql --endpoints db-admin --to-spaces dmz --to-cidrs 192.168.0.0/24
As a result of the above commands, the mysql application will be exposed and:
- All port ranges opened by the charm for any endpoint except
db-adminwill be reachable by any IP address.
- Port ranges opened by the charm for the
db-adminendpoint will only be reachable by IPs that are part of the
192.168.0.0/24block or belong to a subnet associated with the
When using this particular feature, the bundle must not also contain an
expose: true field or Juju will display an error when attempting to deploy the bundle.
This constraint prevents operators from accidentally exposing all ports for an application when attempting to deploy such a bundle to a pre 2.9 controller as older controllers would honor the
expose: true flag but would not interpret the
In addition, 2.9 (and newer) Juju clients will also display an error when attempting to deploy a bundle containing an
exposed-endpoints section to a pre 2.9 controller.