Enable conditionally signing inter-COS charms with the external (or internal) CA

[MichaelThamm]

Related:

• feat: Add TLS modes with a How-to doc #71

Similar to how we use var.external_certificates_offer_url to integrate an external CA with Traefik, we should allow this same external CA to sign our other internal charms by conditionally switching between either mode depending on the combination of: internal_tls and var.external_certificates_offer_url.

With some Terraform investigation, we can use dynamic blocks to create applications included in the juju_integration conditionally like:

resource "juju_integration" "alertmanager_certificates" {
  count = var.internal_tls ? 1 : 0
  model = var.model

  # Conditional application block based on internal_certificates_offer_url
  dynamic "application" {
    for_each = var.internal_certificates_offer_url != null ? [1] : []
    content {
      offer_url = var.internal_certificates_offer_url
    }
  }

  # Fallback application block with name and endpoint
  dynamic "application" {
    for_each = var.internal_certificates_offer_url != null ? [] : [1]
    content {
      name     = module.ssc[0].app_name
      endpoint = module.ssc[0].provides.certificates
    }
  }

  # Always the same application
  application {
    name     = module.alertmanager.app_name
    endpoint = module.alertmanager.endpoints.certificates
  }
}

We would need to update this juju_integration for all other charms which need certificates integrations. This would allow us to:

module "cos-lite" {
  # source                          = "git::https://github.com/canonical/observability-stack//terraform/cos-lite?ref=feat/tls-termination"
  source                          = "../cos-lite"
  model                           = "cos"
  channel                         = "1/stable"
  traefik_channel                 = "latest/edge"
  internal_tls                    = false  # Set to 'false' to disable inter-model TLS
  external_certificates_offer_url = module.ssc.offers.certificates.url  # Set to 'null' or remove this line to communicate with Traefik via HTTP
  internal_certificates_offer_url = module.ssc.offers.certificates.url  # Set to 'null' or remove this line to communicate internally using TLS provided by the external CA (`ssc`)
}

Alternatively, we could re-use the external_certificates_offer_url instead of creating the internal_certificates_offer_url and add a internal_ssc boolean. This seems like it duplicates the use of internal_tls. Need to investigate.

TODO

• Update the "TLS encryption in COS" How-to docs to include this text once this is merged:

If you have other certificate requirements, you’ll be able to replace the self-signed-certificates operator with another TLS operator of your liking, consulting the “Providing” section of the tls-certificates interface page on Charmhub.