Tutorial: Getting Started

kayrag2 · 25 April 2024 08:13

Getting Started

In this tutorial, we will use the TLS Constraints, Self Signed Certificates and 2 TLS Requirer charms to demonstrate how to use the constraints charm to block CSR’s from being forwarded to the TLS Provider.

1. Install pre-requisites

Install MicroK8s:

sudo snap install microk8s

Enable the hostpath-storage MicroK8s add-on:

microk8s enable hostpath-storage

Install Juju:

sudo snap install juju

2. Bootstrap a Juju controller

Bootstrap a Juju controller:

juju bootstrap microk8s

Create a Juju model:

juju add-model demo

3. Deploy Self Signed Certificates

juju deploy self-signed-certificates

4. Deploy tls-certificates-requirers

juju deploy ch:tls-certificates-requirer tls-requirer1 
juju deploy ch:tls-certificates-requirer tls-requirer2

5. Deploy TLS Constraints

juju deploy tls-constraints --channel beta

6. Relate the Upstream Certificate Provider

juju integrate tls-constraints:certificates-upstream self-signed-certificates

7. Configure TLS Constraints

juju config tls-constraints limit-to-one-request=True

Feel free to inspect all of the config options to see what’s available

8. Relate the Downstream Certificate Requirers

juju integrate tls-constraints:certificates-downstream tls-requirer1
juju integrate tls-constraints:certificates-downstream tls-requirer2

You should see the second requirer be filtered out

juju status

Model  Controller          Cloud/Region        Version  SLA          Timestamp
demo    microk8s-localhost  microk8s/localhost  3.4.2    unsupported  14:31:22Z

App                       Version  Status  Scale  Charm                      Channel        Rev  Address         Exposed  Mess
age
self-signed-certificates           active      1  self-signed-certificates   latest/stable   72  10.152.183.172  no        
tls-constraints                    active      1  tls-constraints            latest/beta     47  10.152.183.134  no 
tls-requirer1                      active      1  tls-certificates-requirer  latest/stable   72  10.152.183.159  no       Cert
ificate is available
tls-requirer2                      active      1  tls-certificates-requirer  latest/stable   72  10.152.183.68   no       Cert
ificate request is sent

Unit                         Workload  Agent  Address       Ports  Message
self-signed-certificates/0*  active    idle   10.1.252.83              
tls-constraints/0*           active    idle   10.1.252.127             
tls-requirer1/0*             active    idle   10.1.252.89          Certificate is available
tls-requirer2/0*             active    idle   10.1.252.98          Certificate request is sent

Integration provider                     Requirer                               Interface         Type     Message
self-signed-certificates:certificates    tls-constraints:certificates-upstream  tls-certificates  regular
tls-constraints:certificates-downstream  tls-requirer1:certificates             tls-certificates  regular
tls-constraints:certificates-downstream  tls-requirer2:certificates             tls-certificates  regular