GoCert

  • Canonical Telco
Channel Revision Published Runs on
latest/edge 19 03 Sep 2024
Ubuntu 22.04
latest/edge 18 03 Sep 2024
Ubuntu 22.04
juju deploy gocert-k8s --channel edge
Show information

Learn to deploy on juju >

Platform:

Relevant links

Discuss this charm

Share your thoughts on this charm with the community on discourse.

Join the discussion

Getting Started

In this tutorial, we will deploy Notary on Kubernetes and use it to provide a TLS certificate to a charm requesting one.

Pre-requisites

A Ubuntu 22.04 machine with the following requirements:

  • A x86_64 CPU
  • 8GB of RAM
  • 20GB of free disk space

1. Install MicroK8s

sudo snap install microk8s --channel=1.29-strict/stable

Enable the storage and dns add-ons:

sudo microk8s enable hostpath-storage
sudo microk8s enable dns

2. Bootstrap a Juju controller

From your terminal, install Juju:

sudo snap install juju --channel=3.4/stable

Bootstrap a Juju controller:

juju bootstrap microk8s

3. Deploy Notary

Create a Juju model named demo:

juju add-model demo

Deploy the Notary K8s operator:

juju deploy notary-k8s --channel latest/edge

Notary will become active and ready to use in a couple seconds.

$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
demo   microk8s-localhost  microk8s/localhost  3.4.5    unsupported  17:07:25+03:00

App         Version  Status  Scale  Charm       Channel      Rev  Address         Exposed  Message
notary-k8s           active      1  notary-k8s  latest/edge    4  10.152.183.188  no 

Unit           Workload  Agent  Address      Ports  Message
notary-k8s/0*  active    idle   10.1.90.190

4. Get the Login Information

Get the login information directly from juju secrets:

$ juju secrets
ID                    Name  Owner       Rotation  Revision  Last updated
cqvlq37mp25c77vaabgg  -     notary-k8s  never            5  1 minute ago

$ juju show-secret --reveal cqvlq37mp25c77vaabgg
cqvlq37mp25c77vaabgg:
  revision: 5
  owner: notary-k8s
  label: Notary Login Details
  created: 2024-08-16T14:07:09Z
  updated: 2024-08-16T14:07:13Z
  content:
    password: H)7aLJq*%n?B
    token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJjaGFybS1hZG1pbi1FTENJIiwicGVybWlzc2lvbnMiOjEsImV4cCI6MTcyMzgyMDgzMn0.gZu2jy1VL9LkZq41zuCpXoP63866K49e3mHZmOR4xRc
    username: charm-admin-ELCI

Navigate to the application endpoint reported in juju status (https://10.152.183.188:2111 in this example) and use the username and password located in the secret to login. You should see the homepage.

image

5. Integrate Notary with a TLS requiring Charm

Deploy TLS Certificates Requirer and integrate it with Notary.

juju deploy tls-certificates-requirer tls-1s --channel=latest/edge
juju integrate notary-k8s:certificates  tls-1s:certificates

Once the relation settles, you will see the CSR appear in Notary.

$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
demo   microk8s-localhost  microk8s/localhost  3.4.5    unsupported  11:14:12+03:00

App         Version  Status  Scale  Charm                      Channel      Rev  Address         Exposed  Message
notary-k8s           active      1  notary-k8s                 latest/edge   15  10.152.183.86   no 
tls-1s               active      1  tls-certificates-requirer  latest/edge   99  10.152.183.228  no       0/1 certificate requests are fulfilled

Unit           Workload  Agent  Address      Ports  Message
notary-k8s/0*  active    idle   10.1.90.149       
tls-1s/0*      active    idle   10.1.90.130         0/1 certificate requests are fulfilled

Integration provider     Requirer             Interface         Type     Message
notary-k8s:certificates  tls-1s:certificates  tls-certificates  regular

image

Download the CSR and name it example.com.csr.

6. Sign the certificate

Create a Private Key and a Signing CA Certificate

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt

Sign the CSR that you’ve downloaded using openssl. Open a terminal and run the following command:

openssl x509 -req -in example.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.com.crt -days 365

You should now have a signed certificate called example.com.crt in your folder.

Create a certificate chain by listing your certificate and its issuer:

$ cat example.com.crt
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
$ cat ca.crt
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----

7. Upload the certificate

Upload the certificate chain to Notary.

image

image

Your certificate will automatically be forwarded to the charm that submitted the CSR.

$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
demo   microk8s-localhost  microk8s/localhost  3.4.5    unsupported  12:24:49+03:00

App         Version  Status  Scale  Charm                      Channel      Rev  Address         Exposed  Message
notary-k8s           active      1  notary-k8s                                0  10.152.183.102  no 
tls-1s               active      1  tls-certificates-requirer  latest/edge   99  10.152.183.159  no       1/1 certificate requests are fulfilled

Unit           Workload  Agent  Address      Ports  Message
notary-k8s/0*  active    idle   10.1.90.129       
tls-1s/0*      active    idle   10.1.90.155         1/1 certificate requests are fulfilled

Congratulations, you have used Notary to provision certificates in the Juju ecosystem!

8. Destroy the environment

You can now destroy your environment:

juju destroy-model demo

Help improve this document in the forum (guidelines). Last updated a month ago.