EasyRSA

  • Canonical Kubernetes
Channel Revision Published Runs on
latest/stable 63 04 Sep 2024
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/stable 26 17 Apr 2024
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/stable 4 17 Apr 2024
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/candidate 66 Yesterday
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/candidate 26 28 Sep 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/candidate 4 11 Mar 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/beta 63 14 Aug 2024
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/beta 27 20 Apr 2024
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/beta 13 17 Apr 2024
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/edge 65 06 Dec 2024
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/edge 27 18 Oct 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
latest/edge 13 23 Jun 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
1.32/edge 65 06 Dec 2024
Ubuntu 22.04 Ubuntu 20.04
1.31/stable 63 04 Sep 2024
Ubuntu 22.04 Ubuntu 20.04
1.31/candidate 66 Yesterday
Ubuntu 22.04 Ubuntu 20.04
1.31/beta 63 13 Aug 2024
Ubuntu 22.04 Ubuntu 20.04
1.31/edge 64 21 Aug 2024
Ubuntu 22.04 Ubuntu 20.04
1.30/stable 59 11 Jul 2024
Ubuntu 22.04 Ubuntu 20.04
1.30/beta 59 05 Jul 2024
Ubuntu 22.04 Ubuntu 20.04
1.30/edge 61 26 Jul 2024
Ubuntu 22.04 Ubuntu 20.04
1.29/stable 58 05 Jul 2024
Ubuntu 22.04 Ubuntu 20.04
1.28/stable 48 22 Aug 2023
Ubuntu 22.04 Ubuntu 20.04
1.28/beta 48 07 Aug 2023
Ubuntu 22.04 Ubuntu 20.04
1.28/edge 49 09 Aug 2023
Ubuntu 22.04 Ubuntu 20.04
1.27/stable 42 12 Jun 2023
Ubuntu 22.04 Ubuntu 20.04
1.27/candidate 39 10 Apr 2023
Ubuntu 22.04 Ubuntu 20.04
1.27/beta 39 10 Apr 2023
Ubuntu 22.04 Ubuntu 20.04
1.27/edge 40 10 Apr 2023
Ubuntu 22.04 Ubuntu 20.04
1.26/stable 33 27 Feb 2023
Ubuntu 22.04 Ubuntu 20.04
1.26/candidate 33 25 Feb 2023
Ubuntu 22.04 Ubuntu 20.04
1.26/beta 28 09 Apr 2023
Ubuntu 22.04 Ubuntu 20.04
1.26/edge 28 19 Nov 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04
1.26/edge 27 18 Oct 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04
1.25/stable 26 30 Sep 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04
1.25/candidate 26 28 Sep 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04
1.25/beta 29 01 Dec 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04
1.25/beta 20 01 Sep 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04
1.25/edge 21 09 Sep 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04
1.24/stable 15 04 Aug 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
1.24/stable 9 05 May 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
1.24/candidate 15 01 Aug 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04
1.24/beta 9 21 Apr 2022
Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
1.24/edge 14 22 Jul 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
1.24/edge 13 23 Jun 2022
Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
1.23/beta 5 22 Mar 2022
Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
1.23/edge 3 24 Feb 2022
Ubuntu 20.04 Ubuntu 18.04 Ubuntu 16.04 Ubuntu 14.04
juju deploy easyrsa
Show information

Platform:

Ubuntu
22.04 20.04 18.04 16.04 14.04

This charm delivers the EasyRSA application to act as a Certificate Authority (CA) and create certificates for related charms.

Deployment

To deploy EasyRSA:

juju deploy easyrsa

Using the EasyRSA charm

The EasyRSA charm will become a Certificate Authority (CA) and generate a CA certificate. Other charms need only to relate to EasyRSA with a requires using the tls-certificates interface.

To get a server certificate from EasyRSA, a charm must include the interface:tls-certificates interface in its layer.yaml file. The charm must also require the tls interface, in its metadata.yaml. The relation name may be named what ever you wish. Assume the relation is named “certificates” for these examples.

CA

The interface will generate a CA certificate immediately. If another charm requires a CA certificate the code must react to the flag certificates.ca.available. The relationship object has a method named get_ca which returns the CA certificate.

@when('certificates.ca.available')
def store_ca(tls):
    '''Read the certificate authority from the relation object and install it
    on this system.'''
    # Get the CA from the relationship object.
    ca_cert = tls.get_ca()
    write_file('/usr/local/share/ca-certificates/easyrsa.crt', ca_cert)

Client certificate and key

The EasyRSA charm generates a client certificate after the CA certificate is created. If another charm needs the CA the code must react to the flag certificates.client.cert.available. The relationship object has a method that returns the client cert and client key called get_client_cert.

@when('certificates.client.cert.available')
def store_client(tls):
    '''Read the client certificate from the relation object and install it on
    this system.'''
    client_cert, client_key = tls.get_client_cert()
    write_file('/home/ubuntu/client.crt', client_cert)
    write_file('/home/ubuntu/client.key', client_key)

Request a server certificate

The interface will set certificates.available flag on a relation. The reactive code should send three values on the relation to request a certificate. Call the request_server_cert method on the relationship object. The three values are: Common Name (CN), a list of Subject Alt Names (SANs), and the file name of the certificate (the unit name with the ‘/’ replaced with an underscore). For example a client charm would send:

@when('certificates.available')
def send_data(tls):
    # Use the public ip of this unit as the Common Name for the certificate.
    common_name = hookenv.unit_public_ip()
    # Get a list of Subject Alt Names for the certificate.
    sans = []
    sans.append(hookenv.unit_public_ip())
    sans.append(hookenv.unit_private_ip())
    sans.append(socket.gethostname())
    # Create a path safe name by removing path characters from the unit name.
    certificate_name = hookenv.local_unit().replace('/', '_')
    # Send the information on the relation object.
    tls.request_server_cert(common_name, sans, certificate_name)

Server certificate and key

The Easy-RSA charm generates the server certificate and key after the request have been made. If another charm needs the server certificate the code must react to the flag {relation_name}.server.cert.available. The relationship object has a method that returns the server cert and server key called get_server_cert.

@when('certificates.server.cert.available')
def store_server(tls):
    '''Read the server certificate from the relation object and install it on
    this system.'''
    server_cert, server_key = tls.get_server_cert()
    write_file('/home/ubuntu/server.cert', server_cert)
    write_file('/home/ubuntu/server.key', server_key)

Backup/Restore the PKI

This charm includes actions which support creating and managing snapshots of the Easy-RSA PKI. Their usage is explained in the following sections:

Create backups

Use the charm’s backup action to capture current snapshot of the Easy-RSA PKI. This will generate a file in the directory /home/ubuntu/easyrsa_backup on the relevant unit. The backup file follows the naming convention: easyrsa-YYYY-MM-DD_HH-MM-SS.tar.gz.

For example:

juju run-action --wait easyrsa/0 backup

For convenience, the output of the backup action will output the exact juju scp command to download the created file to your local machine.

List backups

To list all the available backup files stored on the unit, run the following:

juju run-action --wait easyrsa/0 list-backups

This will output a list of filenames. These filenames are relative to the unit’s /home/ubuntu/easyrsa_backup/ directory.

The names can be used either directly as a parameters for the restore and delete-backup actions or as part of a juju scp command to download the backup files. For example, to download a backup named easyrsa-2020-12-10_16-37-54.tar.gz, the corresponding juju scp command would be:

juju scp easyrsa/0:/home/ubuntu/easyrsa_backup/easyrsa-2020-12-10_16-37-54.tar.gz .

Delete backups

To delete a backup file stored on the unit, simply run action delete-backup with parameter name=<backup_name>. List of all available backups can be obtained by running action list-backups. To remove all the backups from the unit, you can specify parameter all=true.

Removing a single backup:

juju run-action --wait easyrsa/0 delete-backup name=easyrsa-2020-12-10_16-37-54.tar.gz

Removing all backups:

juju run-action --wait easyrsa/0 delete-backup all=true

Restore backups

To restore a backup, run the restore action. This action takes one parameter, name, which specifies the backup file to be restored. This file must exist on the easyrsa unit for the action to succeed. A list of the available backups can be obtained by running the list-backups action.

For example:

juju run-action --wait easyrsa/0 restore name=easyrsa-2020-06-10_16-37-54.tar.gz

In the case where the backup file is available locally, it can be copied to the relevant unit before running the restore action by using the juju scp command. For example:

juju scp easyrsa-2020-12-10_16-37-54.tar.gz easyrsa/0:/home/ubuntu/easyrsa_backup/

In the case where units have been added to the Juju model since the backup was created, Easy-RSA will issue new certificates to these units.

Warning: There is a known issue that the `kubernetes-control-plane` units need to be restarted after the certificate change. These units may settle in the active/idle state but all new pods will hang in the pending state. .

Note: The Easy-RSA charm notifies all the related units that the CA and issued certificates have changed. It's up to the implementation of each related charm to react to this change properly. It may take up to several minutes for model to settle back into the active/idle state.

Actions

This section covers Juju actions supported by the charm. Actions allow specific operations to be performed on a per-unit basis. To display action descriptions you can run juju actions easyrsa.