Concerning production controllers, there are a few things I was hoping to get out in the open and get some input on, and possibly get into the docs as well.
When deploying a controller, what are my options for SSL/TLS?
I see some bootstrap configs for lets-encrypt, and some config for what looks like manual key/cert specification. At first glance Iām not how to take advantage of these. Some docs/example on this would be super.
What are my options for custom identity backends?
I have a feeling his may be something up and coming per the bootstrap-config description? Or possibly this is something I can take advantage of?
Maybe we build a table of what the possible controller deployment options are around the big features like identity backend options and ssl/fqdn configuration, possibly just a few solid example commands to go along with descriptions for these features would be great too. I would be happy to help out here in any way I can.
The documentation on configuring controllers (https://docs.jujucharms.com/2.4/en/controllers-config) does already have a big table with these values mentioned, although at the current time the āidentityā ones are marked as ānot yet implementedā.
Some extra examples to go in the docs for specific use cases would be great though.
Thanks for the questions @jamesbeedy. I thought I had a blog post on using the letās encrypt but while I used it for demos I donāt talk about that step in particular. Iāll setup a discourse post on it today.
For the external auth, well thatās build around JAAS and if youād like to have a custom setup such as that you should engage with @uros-jovanovic around the on premises JAAS offerings.
Iāve put together a walk through on using Letās Encrypt for a controller here:
One thing Iāve not played with is doing this over HA controllers and having HA failures/etc. I think thatās not as well tested as I tend to use it more for demos and when folks are running things in production they will use their own provided certificates vs letās encrypt.
Hello @jamesbeedy, we are at this stage in our MAAS environment now and would appreciate some help.
Advice on how to integrate with an external identity providers (ubuntu one)
How to co-exist with our Active Directory identity provider.
Do we need to āchose wither oneā or can we use many?
A few months ago, we were talking to @uros-jovanovic about this but at that time we were not in the knowledge-zone to be able to communicate our situation properly. That has changed now and we could possibly make a few first steps.
This should fall under ā[docs] Examples needed for external identity configurationsā.
@pmatulis^
This might fall under something like āCandid <-> Juju integration documentationā - although Iām not sure this is meant to be a publicly usable system (it may be a system canonical is developing for use of facilitating customers with this type of use case through contractā¦ not really sure.
I stepped though a tutorial on using Candid with LXD the other day, so it is starting to creep out of itās repo as something thatās being offered for general use.
Putting controllers in VMs in pods is definitely a fine way to go about things. You need to be careful as HA controllers only works well if theyāre on different hardware so youād need a few pods to spread them out into.