How to specify application expose parameters within a bundle

Since Juju 2.9, operators can control the expose parameters (CIDRs and/or spaces that are allowed access to the port ranges opened by exposed applications) for the entire application and/or on a per-endpoint basis.

Application expose parameters can also be specified in bundles. However, as expose parameters are deployment-specific, they can only be provided as part of an overlay. Consider the following multi-document bundle:

applications:
  mysql:
    charm: "cs:mysql-57"
    num_units: 1
--- # overlay
applications:
  mysql:
    exposed-endpoints:
      "":
        expose-to-cidrs:
        - 0.0.0.0/0
        - ::/0
      db-admin:
        expose-to-spaces:
        - dmz
        expose-to-cidrs:
        - 192.168.0.0/24

This is equivalent to the following commands:

juju deploy cs:mysql-57
juju expose mysql --to-cidrs 0.0.0.0/0,::/0
juju expose mysql --endpoints db-admin --to-spaces dmz --to-cidrs 192.168.0.0/24

As a result of the above commands, the mysql application will be exposed and:

  • All port ranges opened by the charm for any endpoint except db-admin will be reachable by any IP address.
  • Port ranges opened by the charm for the db-admin endpoint will only be reachable by IPs that are part of the 192.168.0.0/24 block or belong to a subnet associated with the dmz space.

When using this particular feature, the bundle must not also contain an expose: true field or Juju will display an error when attempting to deploy the bundle. This constraint prevents operators from accidentally exposing all ports for an application when attempting to deploy such a bundle to a pre 2.9 controller as older controllers would honor the expose: true flag but would not interpret the exposed-endpoints field. In addition, 2.9 (and newer) Juju clients will also display an error when attempting to deploy a bundle containing an exposed-endpoints section to a pre 2.9 controller.

1 Like