Tutorial: Getting Started with Self Signed Certificates

charm
1

Getting started

In this tutorial, we will use the Self Signed Certificates charm to provide certificates to a requiring charm using the TLS Certificates Requirer Operator as our TLS certificates requirer.

1. Install pre-requisites

Install MicroK8s:

sudo snap install microk8s

Enable the hostpath-storage MicroK8s add-on:

microk8s enable hostpath-storage

Install Juju:

sudo snap install juju

2. Bootstrap a Juju controller

Bootstrap a Juju controller:

juju bootstrap microk8s

Create a Juju model:

juju add-model demo

3. Deploy Self Signed Certificates

juju deploy self-signed-certificates

4. Deploy tls-certificates-requirer

juju deploy tls-certificates-requirer --channel=edge

5. Integrate the two charms

Integrate the charms with their tls-certificates interface:

juju integrate self-signed-certificates tls-certificates-requirer

Wait for both charms to be in the active/idle status.

ubuntu@server:~$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
demo   microk8s-localhost  microk8s/localhost  3.1.7    unsupported  08:41:14-05:00

App                        Version  Status  Scale  Charm                      Channel  Rev  Address        Exposed  Message
self-signed-certificates            active      1  self-signed-certificates   stable    57  10.152.183.96  no       
tls-certificates-requirer           active      1  tls-certificates-requirer  edge      28  10.152.183.45  no       Certificate is available

Unit                          Workload  Agent  Address      Ports  Message
self-signed-certificates/0*   active    idle   10.1.182.39         
tls-certificates-requirer/0*  active    idle   10.1.182.21         Certificate is available

6. Retrieve the TLS Certificates

Use the TLS Certificates Requirer’s get-certificate action to retrieve the certificate it received from Self Signed Certificates:

juju run tls-certificates-requirer/0 get-certificate

You should expect this output (with different certificates of course):

ubuntu@server:~$ juju run tls-certificates-requirer/0 get-certificate
Running operation 1 with 1 task
  - task 2 on unit-tls-certificates-requirer-0

Waiting for task 2...
ca-certificate: |-
  -----BEGIN CERTIFICATE-----
  MIIDZzCCAk+gAwIBAgIUbjeqQUknRGtZeNdncwSLHym/rpMwDQYJKoZIhvcNAQEL
  BQAwOTELMAkGA1UEBhMCVVMxKjAoBgNVBAMMIXNlbGYtc2lnbmVkLWNlcnRpZmlj
  YXRlcy1vcGVyYXRvcjAeFw0yNDAxMjAxMzQwNDFaFw0yNTAxMTkxMzQwNDFaMDkx
  CzAJBgNVBAYTAlVTMSowKAYDVQQDDCFzZWxmLXNpZ25lZC1jZXJ0aWZpY2F0ZXMt
  b3BlcmF0b3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC43HBkasDd
  fksPImfH/Mz9kv8M8iXf9DRJ/ma4DU8pGqXW2kjE6ebUL6ACemiUeQQFjPjGUUHG
  f9TWbvwsecmMn1aMQhvhws69qb6PksDmnXkea5HNOJjSqe2FHLH6UpzxfUO4hjrC
  qLvE077hvhh5XHOx7XbLCbvtlg3VyHxG/B2lCFJ35hO9BpWKoBMeZhONryJI4moY
  pv6zyUaVt7WG1LLEgAiSKn8xwmRTrbL3/rfqQJFI68mSX3j85FCzdpLc3gSaA0xO
  4JL8Ka03Ai5KAQAvS8hAUVmvXBBDQxCGhmtLZjWpLrQOOPU0SKl5iwmWkQhGsbzS
  dpYsJ9xVPk/nAgMBAAGjZzBlMB8GA1UdDgQYBBYEFLae7JDEVQRJCLVH7Bq4OSAv
  KxXKMCEGA1UdIwQaMBiAFgQUtp7skMRVBEkItUfsGrg5IC8rFcowDgYDVR0PAQH/
  BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKI7P4In
  hx3DvUBWMedtXSeKQIqM1IkjK9w7UqJXVkENGsV4mvEhqqRYE4IhrxwWcq6xVelI
  bxTSekdFPoccptCFHEQ9M91w9BBrYVpI93RQ/L0gzbFt8G88lxcfOe6ZIXHFwpxN
  Y0wxPDbEYNgBw1slnFmd4jBkd+MmmXuo73p5GMCvSbdIWaYA50ACocqVagC3sQrd
  jo5SadqPU7jcNkJRTrgqSFfJ+UR4iqFZb3+5tte4NkGbHazNzsLavp2SjLI/jvJ1
  UyPImPtrbtqusTTww04BaS6eUXAtkhBLgAHVpyJiXl56FJAq2yQdXqLo9LM546JT
  2s4EmgvpuheyxNk=
  -----END CERTIFICATE-----
certificate: |-
  -----BEGIN CERTIFICATE-----
  MIIDczCCAlugAwIBAgIULfsvblqEGEYSM+qdfskJmLQjQMswDQYJKoZIhvcNAQEL
  BQAwOTELMAkGA1UEBhMCVVMxKjAoBgNVBAMMIXNlbGYtc2lnbmVkLWNlcnRpZmlj
  YXRlcy1vcGVyYXRvcjAeFw0yNDAxMjAxMzQwNThaFw0yNTAxMTkxMzQwNThaMFox
  KTAnBgNVBAMMIHRscy1jZXJ0aWZpY2F0ZXMtcmVxdWlyZXItMC5kZW1vMS0wKwYD
  VQQtDCRjNmYyM2EzYS02ZjczLTQ3N2MtYmI5NS1jZmNkNTk2Mzc2YWMwggEiMA0G
  CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCl6z/ifeXnWNXgTRQC+vH1A+ew7PfH
  L9Ar1gyiFj02vAJ8nHG6HdvyOJEMIZkE48IKk1kgzZUXxfKv0bYeq3b/tRWLYL74
  +bTrMCcYOo9mzeUST4CVup+l6qad4E4SbTR/Z3ILIOMkeIukpbiUzQBrSAuXlDBw
  Om0+nkoejytfh7rl7aM0xI5iJ8QisJ8XZ8YCuC0NMPOvvkXCFnk8FUEXgUmXWOUd
  Vkus+0Xs/unKFaItjkp6iTrdZ620LOabtA7nLo1Z16MYMmEbWLWqn3iRkPUfmMZ5
  sKnLDJ6oQ2Bu5HZmUQPFiiiabBqG9amKlqy7RjMBpMcueML0bR3Fn2f7AgMBAAGj
  UjBQMCEGA1UdIwQaMBiAFgQUtp7skMRVBEkItUfsGrg5IC8rFcowHQYDVR0OBBYE
  FCrlMVeaZ1gP5vQ64lBN7Zcl8cSIMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEL
  BQADggEBAC5KVDpRmSuhf3sfNyGYMZCuh0ykAgup7FwJF39SfEWUEo+Y87nCREtn
  Bo8LWLfjeTTCE+Ni5UfyqlEm6RRrGB14qa+zJaY7d/e+4yGsR9N+9K7KivYvijK2
  WCcH6zdZCgNgUlZzwYC9SZDBzzps6qnVsoa16Em7ve4P8BkCZcmicO7Ehkr4D0uc
  +FJtW7IFts0EFsMt2g44ekGBTzk7VoGo0q9j9DoykUA2w5o8s0uxqdhKh4GB8y9B
  YQ3nHn7BnmywMUjEvr1gmM/TNhjpHK5/ZsEDghzwB7pq9dHISYDS7bIgv4IKMCzQ
  iF5JOlqpCxIx3EgRFP/mLwXnuBDzpCo=
  -----END CERTIFICATE-----
csr: |-
  -----BEGIN CERTIFICATE REQUEST-----
  MIICnzCCAYcCAQAwWjEpMCcGA1UEAwwgdGxzLWNlcnRpZmljYXRlcy1yZXF1aXJl
  ci0wLmRlbW8xLTArBgNVBC0MJGM2ZjIzYTNhLTZmNzMtNDc3Yy1iYjk1LWNmY2Q1
  OTYzNzZhYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXrP+J95edY
  1eBNFAL68fUD57Ds98cv0CvWDKIWPTa8Anyccbod2/I4kQwhmQTjwgqTWSDNlRfF
  8q/Rth6rdv+1FYtgvvj5tOswJxg6j2bN5RJPgJW6n6Xqpp3gThJtNH9ncgsg4yR4
  i6SluJTNAGtIC5eUMHA6bT6eSh6PK1+HuuXtozTEjmInxCKwnxdnxgK4LQ0w86++
  RcIWeTwVQReBSZdY5R1WS6z7Rez+6coVoi2OSnqJOt1nrbQs5pu0DucujVnXoxgy
  YRtYtaqfeJGQ9R+YxnmwqcsMnqhDYG7kdmZRA8WKKJpsGob1qYqWrLtGMwGkxy54
  wvRtHcWfZ/sCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB5HFjgH9DEwertl/Zz
  KyQeCIE4U12X4sZ15GmDGfEahmeAFzKCOi/FI/ggnBCb5Ops+ZQrn2nFysIW6Mjb
  yMXT8jj4qoQYke5s8uXt6T8UjyveXH7mP70ITDfHmSXvPa2jONgKz+HSWlrUB5/x
  aTLXgQX/OU1ZWEnDHggL9x9oiCy3wHpHhrZ6+koNkXilELbcbuGc7IA8qLWgAESi
  LzvN/MG+D8ppqD+lt3/pgZ1YrCGylAb+D6d01U2mpt7yASW4lIW6oqQKV2z02k1E
  Puf4y3KcZ61TPr8vRQs4aj+k4voG55OxYkbrRCaQJ+AaV8YFVXbT29r3hobUwfqm
  UnU4
  -----END CERTIFICATE REQUEST-----

Good job, you successfully used the Self Signed Certificates charm to provide charm to a requiring charm.

7. Destroy the environment

Kill the Juju controller:

juju kill-controller microk8s-localhost

Uninstall the Juju and MicroK8s snaps:

sudo snap remove microk8s juju --purge
2

are there any hardware requirements for this charm? i couldnt find it anywhere in the documentation. I use an arm64 machine, and the charm doesn’t seem to be working. I see the pod is stuck in pending state due to the nodeSelector being specified as amd64. Could you help clarify this?

3

Hello @swetha1654 ,

The charm should work on an arm machine and it is a very small charm (no workload) so if any charm can be deployed on any machine, it’s this one. Unfortunately, I don’t have an arm machine myself to confirm this but my colleague @ghibourg was able to build it and run it on his raspberry PI as far as I remember. What are your machine specifications and which version of the charm are you deploying? Please also provide the output of juju status.

@ghibourg , is there any special juju trick to get the charm deployed on arm?

Thanks,

Guillaume

4

Hi @gruyaume I figured out my mistake. I had to run the command-

juju deploy postgresql-k8s --trust --constraints “arch=arm64”

i did not provide the constraints previously. The documentation mentioned that it will be available from revision 211+ and when i installed postgresql charm it showed that revision 381 was installed so i assumed that the support would automatically be available.

Just want one clarification. Is this "constraints " parameter documented somewhere? I couldn’t find it anywhere.

1 Like
5

Hello, glad you found the issue, I was just about to write about the constraints. It is documented in the Juju documentation, but I am not sure the full behavior is well explained there. If no arch constraints is provided at deployment, Juju will automatically add arch=amd64 to the constraints.

This is why it works properly when running on amd64 but breaks on arm64 if the constraints is not specified. As you found, it will have the same behavior for all charms for that architecture.

1 Like
6

could you point out where it is in the documentation? that would be helpful, thanks!

8

Juju constraints are listed here.

1 Like