Notary

  • Canonical Telco
Channel Revision Published Runs on
latest/edge 22 08 Oct 2024
Ubuntu 24.04 Ubuntu 22.04
latest/edge 7 13 Sep 2024
Ubuntu 24.04 Ubuntu 22.04
latest/edge 6 13 Sep 2024
Ubuntu 24.04 Ubuntu 22.04
latest/edge 5 13 Sep 2024
Ubuntu 24.04 Ubuntu 22.04
0/candidate 24 11 Oct 2024
Ubuntu 24.04
0/beta 24 11 Oct 2024
Ubuntu 24.04
0/edge 40 16 Dec 2024
Ubuntu 24.04
juju deploy notary-k8s --channel edge
Show information

Platform:

Getting Started

In this tutorial, we will deploy Notary on Kubernetes and use it to provide a TLS certificate to a charm requesting one.

Pre-requisites

A Ubuntu 22.04 machine with the following requirements:

  • A x86_64 CPU
  • 8GB of RAM
  • 20GB of free disk space

1. Install MicroK8s

sudo snap install microk8s --channel=1.29-strict/stable

Enable the storage and dns add-ons:

sudo microk8s enable hostpath-storage
sudo microk8s enable dns

2. Bootstrap a Juju controller

From your terminal, install Juju:

sudo snap install juju --channel=3.4/stable

Bootstrap a Juju controller:

juju bootstrap microk8s

3. Deploy Notary

Create a Juju model named demo:

juju add-model demo

Deploy the Notary K8s operator:

juju deploy notary-k8s --channel latest/edge

Notary will become active and ready to use in a couple seconds.

$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
demo   microk8s-localhost  microk8s/localhost  3.4.5    unsupported  17:07:25+03:00

App         Version  Status  Scale  Charm       Channel      Rev  Address         Exposed  Message
notary-k8s           active      1  notary-k8s  latest/edge    4  10.152.183.188  no 

Unit           Workload  Agent  Address      Ports  Message
notary-k8s/0*  active    idle   10.1.90.190

4. Get the Login Information

Get the login information directly from juju secrets:

$ juju secrets
ID                    Name  Owner       Rotation  Revision  Last updated
cqvlq37mp25c77vaabgg  -     notary-k8s  never            5  1 minute ago
$ juju show-secret --reveal cqvlq37mp25c77vaabgg
cqvlq37mp25c77vaabgg:
  revision: 5
  owner: notary-k8s
  label: Notary Login Details
  created: 2024-08-16T14:07:09Z
  updated: 2024-08-16T14:07:13Z
  content:
    password: H)7aLJq*%n?B
    token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJjaGFybS1hZG1pbi1FTENJIiwicGVybWlzc2lvbnMiOjEsImV4cCI6MTcyMzgyMDgzMn0.gZu2jy1VL9LkZq41zuCpXoP63866K49e3mHZmOR4xRc
    username: charm-admin-ELCI

Navigate to the application endpoint reported in juju status (https://10.152.183.188:2111 in this example) and use the username and password located in the secret to login. You should see the homepage.

5. Integrate Notary with a TLS requiring Charm

Deploy TLS Certificates Requirer and integrate it with Notary.

juju deploy tls-certificates-requirer tls-1s --channel=latest/edge
juju integrate notary-k8s:certificates  tls-1s:certificates

Once the relation settles, you will see the CSR appear in Notary.

$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
demo   microk8s-localhost  microk8s/localhost  3.4.5    unsupported  11:14:12+03:00

App         Version  Status  Scale  Charm                      Channel      Rev  Address         Exposed  Message
notary-k8s           active      1  notary-k8s                 latest/edge   15  10.152.183.86   no 
tls-1s               active      1  tls-certificates-requirer  latest/edge   99  10.152.183.228  no       0/1 certificate requests are fulfilled

Unit           Workload  Agent  Address      Ports  Message
notary-k8s/0*  active    idle   10.1.90.149       
tls-1s/0*      active    idle   10.1.90.130         0/1 certificate requests are fulfilled

Integration provider     Requirer             Interface         Type     Message
notary-k8s:certificates  tls-1s:certificates  tls-certificates  regular

Download the CSR and name it example.com.csr.

6. Sign the certificate

Create a Private Key and a Signing CA Certificate

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt

Sign the CSR that you’ve downloaded using openssl. Open a terminal and run the following command:

openssl x509 -req -in example.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.com.crt -days 365

You should now have a signed certificate called example.com.crt in your folder.

Create a certificate chain by listing your certificate and its issuer:

$ cat example.com.crt
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
$ cat ca.crt
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----

7. Upload the certificate

Upload the certificate chain to Notary.

Your certificate will automatically be forwarded to the charm that submitted the CSR.

$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
demo   microk8s-localhost  microk8s/localhost  3.4.5    unsupported  12:24:49+03:00

App         Version  Status  Scale  Charm                      Channel      Rev  Address         Exposed  Message
notary-k8s           active      1  notary-k8s                                0  10.152.183.102  no 
tls-1s               active      1  tls-certificates-requirer  latest/edge   99  10.152.183.159  no       1/1 certificate requests are fulfilled

Unit           Workload  Agent  Address      Ports  Message
notary-k8s/0*  active    idle   10.1.90.129       
tls-1s/0*      active    idle   10.1.90.155         1/1 certificate requests are fulfilled

Congratulations, you have used Notary to provision certificates in the Juju ecosystem!

8. Destroy the environment

You can now destroy your environment:

juju destroy-model demo

Help improve this document in the forum (guidelines). Last updated 3 months ago.