Reference: Filter Configuration

charm
1

Filter Configuration

Currently, there are 3 filters available:

Limit to one request

This filter is disabled by default, and can be enabled by setting the following config:

juju config tls-constraints limit-to-one-request=True

This filter only allows a single CSR to be forwarded to a provider for each application. This CSR can be switched out at any point and replaced with another, but only a single CSR from an application will ever be forwarded.

If this filter is enabled after multiple CSR’s have already been requested, the filter will deny any CSR until the number of CSR’s the requiring charm has requested is under 1.

Limit to first request

This filter is enabled by default, and can be disabled by setting the following config:

juju config tls-constraints limit-to-one-request=True

This filter looks at the DNS, IP and OID of the requested CSR, and reserves the field to the first application that requests it. This includes the value provided in the Common Name as well as in the Subject Alternative Name (SAN) field.

Multiple units of the same application can request the same or different fields from each other, which will all be reserved to the application.

An application can release the reservation on their fields by withdrawing their CSR, in which case any other application can reserve the previously taken fields.

If this option is enabled after multiple applications have requested the same SAN fields, the filter will block any new CSR from taking these fields, and will continue to block these fields until the number of requirers that share that fields falls below 1.

Allowed Options

These options include the DNS, IP, OID, Common Name, Organization, Email, Country. This set of filters are disabled by default, and can be enabled by setting the following configs:

 juju config tls-constraints allowed-dns="myapp-([0-9]+)?\.mycompany\.com"
 juju config tls-constraints allowed-ips="172\.25\.0\.[0-9]*"
 juju config tls-constraints allowed-oids="1\.3\.6\.1\.4\.1\.28978\.[0-9.]*"
 juju config tls-constraints allowed-common-name="myapp-([0-9]+)?\.mycompany\.com"
 juju config tls-constraints allowed-organization="Canonical Ltd\."
 juju config tls-constraints allowed-email=".*@canonical\.com"
 juju config tls-constraints allowed-country-code="(UK|US|CA|PL|AE|HU|FR|TR|IT)$"

The filters need to be provided a python style regex string that will be used to filter out CSR’s with fields that don’t match with the provided regex.

If the filter is enabled after CSR’s that don’t match the regex are approved, they will not be reversed but any future CSR’s will be filtered including the ones that are coming from the same application. This may break automatic renewal requests.