Notary
- Canonical Telco
Channel | Revision | Published | Runs on |
---|---|---|---|
latest/edge | 22 | 08 Oct 2024 | |
latest/edge | 7 | 13 Sep 2024 | |
latest/edge | 6 | 13 Sep 2024 | |
latest/edge | 5 | 13 Sep 2024 | |
0/candidate | 24 | 11 Oct 2024 | |
0/beta | 24 | 11 Oct 2024 | |
0/edge | 40 | 16 Dec 2024 |
juju deploy notary-k8s --channel edge
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
Getting Started
In this tutorial, we will deploy Notary on Kubernetes and use it to provide a TLS certificate to a charm requesting one.
Pre-requisites
A Ubuntu 22.04 machine with the following requirements:
- A
x86_64
CPU - 8GB of RAM
- 20GB of free disk space
1. Install MicroK8s
sudo snap install microk8s --channel=1.29-strict/stable
Enable the storage and dns add-ons:
sudo microk8s enable hostpath-storage
sudo microk8s enable dns
2. Bootstrap a Juju controller
From your terminal, install Juju:
sudo snap install juju --channel=3.4/stable
Bootstrap a Juju controller:
juju bootstrap microk8s
3. Deploy Notary
Create a Juju model named demo
:
juju add-model demo
Deploy the Notary K8s operator:
juju deploy notary-k8s --channel latest/edge
Notary will become active and ready to use in a couple seconds.
$ juju status
Model Controller Cloud/Region Version SLA Timestamp
demo microk8s-localhost microk8s/localhost 3.4.5 unsupported 17:07:25+03:00
App Version Status Scale Charm Channel Rev Address Exposed Message
notary-k8s active 1 notary-k8s latest/edge 4 10.152.183.188 no
Unit Workload Agent Address Ports Message
notary-k8s/0* active idle 10.1.90.190
4. Get the Login Information
Get the login information directly from juju secrets:
$ juju secrets
ID Name Owner Rotation Revision Last updated
cqvlq37mp25c77vaabgg - notary-k8s never 5 1 minute ago
$ juju show-secret --reveal cqvlq37mp25c77vaabgg
cqvlq37mp25c77vaabgg:
revision: 5
owner: notary-k8s
label: Notary Login Details
created: 2024-08-16T14:07:09Z
updated: 2024-08-16T14:07:13Z
content:
password: H)7aLJq*%n?B
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJjaGFybS1hZG1pbi1FTENJIiwicGVybWlzc2lvbnMiOjEsImV4cCI6MTcyMzgyMDgzMn0.gZu2jy1VL9LkZq41zuCpXoP63866K49e3mHZmOR4xRc
username: charm-admin-ELCI
Navigate to the application endpoint reported in juju status (https://10.152.183.188:2111
in this example) and use the username and password located in the secret to login. You should see the homepage.
5. Integrate Notary with a TLS requiring Charm
Deploy TLS Certificates Requirer and integrate it with Notary.
juju deploy tls-certificates-requirer tls-1s --channel=latest/edge
juju integrate notary-k8s:certificates tls-1s:certificates
Once the relation settles, you will see the CSR appear in Notary.
$ juju status
Model Controller Cloud/Region Version SLA Timestamp
demo microk8s-localhost microk8s/localhost 3.4.5 unsupported 11:14:12+03:00
App Version Status Scale Charm Channel Rev Address Exposed Message
notary-k8s active 1 notary-k8s latest/edge 15 10.152.183.86 no
tls-1s active 1 tls-certificates-requirer latest/edge 99 10.152.183.228 no 0/1 certificate requests are fulfilled
Unit Workload Agent Address Ports Message
notary-k8s/0* active idle 10.1.90.149
tls-1s/0* active idle 10.1.90.130 0/1 certificate requests are fulfilled
Integration provider Requirer Interface Type Message
notary-k8s:certificates tls-1s:certificates tls-certificates regular
Download the CSR and name it example.com.csr
.
6. Sign the certificate
Create a Private Key and a Signing CA Certificate
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
Sign the CSR that you’ve downloaded using openssl
. Open a terminal and run the following command:
openssl x509 -req -in example.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.com.crt -days 365
You should now have a signed certificate called example.com.crt
in your folder.
Create a certificate chain by listing your certificate and its issuer:
$ cat example.com.crt
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
$ cat ca.crt
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
7. Upload the certificate
Upload the certificate chain to Notary.
Your certificate will automatically be forwarded to the charm that submitted the CSR.
$ juju status
Model Controller Cloud/Region Version SLA Timestamp
demo microk8s-localhost microk8s/localhost 3.4.5 unsupported 12:24:49+03:00
App Version Status Scale Charm Channel Rev Address Exposed Message
notary-k8s active 1 notary-k8s 0 10.152.183.102 no
tls-1s active 1 tls-certificates-requirer latest/edge 99 10.152.183.159 no 1/1 certificate requests are fulfilled
Unit Workload Agent Address Ports Message
notary-k8s/0* active idle 10.1.90.129
tls-1s/0* active idle 10.1.90.155 1/1 certificate requests are fulfilled
Congratulations, you have used Notary to provision certificates in the Juju ecosystem!
8. Destroy the environment
You can now destroy your environment:
juju destroy-model demo