I was finally able to successfully set up and deploy VAULT recently only to notice that it’s issuing SSL certs to OpenStack based on hostnames that JUJU supplied on charm deployment. I’m not sure if this is configurable in vault?
Procedurally, what is the best practice for using SSL in this kind of environment successfully setting up charms to talk to each other via SSL(am I wrong here, what’s the point of vault)? I noticed a configuration available to set charms to use MAAS as DNS but even if I set up the charm in maas as “cinder.DOMAIN.TDL” for cinder, vault still issues an SSL cert for something like “juju-d3cbed-0-lxd-0” which results in an error when OpenStack tries to talk to “cinder.DOMAIN.TDL” via SSL as it gets a cert signed for “juju-d3cbed-0-lxd-0” not what is configured in the charm for “os-public-hostname” or any of the other “os-(admin|internal)-hostname”. Another example is with OpenStack-dashboard I have a DNS entry for horizon.DOMAIN.TDL and vault issues a SSL cert for “juju--0-lxd-0” I can see it in the browser when accessing the site. I’m not sure how it’s related but the SSL cert issued to the dashboard by vault is unreadable by apache, fixable with chmod +r a
How do I handle this behavior, so I set up systems in maas with hostnames before using JUJU for the deployment of charms and force juju to deploy charms to specific host’s(I’m going to need guidance on that.) or is there a way to adjust this behavior in vault? Can the hostnames be changed after deployment, should I be using cname records instead of A for the hostnames how does this work with vault? What is “dns-ha-access-record”.
I did find the designate charm for DNS but I’m not sure how it works or if it’s necessary for this situation.
I feel lost all of a sudden PKI is not a strong skill with me.
Thank you for your kind feedback
*DOMAIN.TDL is a place holder as I’m sanitizing my cloud for privacy reasons.