feat: COS Lite TF module TLS integrations

[MichaelThamm]

Deploy with TLS

Create a observability-stack/terraform/modules/cos-lite/tls.tfvars file:

model                         = "tls"
channel                       = "2/edge"
ssc_channel                   = "1/edge"
traefik_channel              = "latest/edge"
use_tls                       = true

Tip

Due to this issue, we need to pin SSC to rev308, but this is not exposed by COS Lite product module so we have to hardcode this in the cos-lite/main.tf in the ssc module:

module "ssc" {
  source  = "git::https://github.com/canonical/self-signed-certificates-operator//terraform"
  # snip ...
  revision = 308
}

Deploy with: tfa -var-file="tls.tfvars"

Deploy without TLS

TL;DR

diff with-tls.yaml without-tls.yaml

59,64d58
<   self-signed-certificates:
<     charm: self-signed-certificates
<     channel: 1/edge
<     revision: 308
<     scale: 1
<     constraints: arch=amd64
118,129d111
< - - prometheus:certificates
<   - self-signed-certificates:certificates
< - - alertmanager:certificates
<   - self-signed-certificates:certificates
< - - self-signed-certificates:certificates
<   - traefik:certificates
< - - catalogue:certificates
<   - self-signed-certificates:certificates
< - - grafana:certificates
<   - self-signed-certificates:certificates
< - - loki:certificates
<   - self-signed-certificates:certificates

Context

• https://charmhub.io/topics/security-with-x-509-certificates

Then we can update the use_tls value to false and tfa again to remove all the certificates relations and the ssc charm:

  # juju_integration.alertmanager_certificates[0] will be destroyed
  # (because index [0] is out of range for count)
  - resource "juju_integration" "alertmanager_certificates" {
      - id    = "tls:self-signed-certificates:certificates:alertmanager:certificates" -> null
      - model = "tls" -> null

      - application {
          - endpoint = "certificates" -> null
          - name     = "alertmanager" -> null
        }
      - application {
          - endpoint = "certificates" -> null
          - name     = "self-signed-certificates" -> null
        }
    }

  # juju_integration.catalogue_certificates[0] will be destroyed
  # (because index [0] is out of range for count)
  - resource "juju_integration" "catalogue_certificates" {
      - id    = "tls:self-signed-certificates:certificates:catalogue:certificates" -> null
      - model = "tls" -> null

      - application {
          - endpoint = "certificates" -> null
          - name     = "catalogue" -> null
        }
      - application {
          - endpoint = "certificates" -> null
          - name     = "self-signed-certificates" -> null
        }
    }

  # juju_integration.grafana_certificates[0] will be destroyed
  # (because index [0] is out of range for count)
  - resource "juju_integration" "grafana_certificates" {
      - id    = "tls:self-signed-certificates:certificates:grafana:certificates" -> null
      - model = "tls" -> null

      - application {
          - endpoint = "certificates" -> null
          - name     = "grafana" -> null
        }
      - application {
          - endpoint = "certificates" -> null
          - name     = "self-signed-certificates" -> null
        }
    }

  # juju_integration.loki_certificates[0] will be destroyed
  # (because index [0] is out of range for count)
  - resource "juju_integration" "loki_certificates" {
      - id    = "tls:self-signed-certificates:certificates:loki:certificates" -> null
      - model = "tls" -> null

      - application {
          - endpoint = "certificates" -> null
          - name     = "loki" -> null
        }
      - application {
          - endpoint = "certificates" -> null
          - name     = "self-signed-certificates" -> null
        }
    }

  # juju_integration.prometheus_certificates[0] will be destroyed
  # (because index [0] is out of range for count)
  - resource "juju_integration" "prometheus_certificates" {
      - id    = "tls:self-signed-certificates:certificates:prometheus:certificates" -> null
      - model = "tls" -> null

      - application {
          - endpoint = "certificates" -> null
          - name     = "prometheus" -> null
        }
      - application {
          - endpoint = "certificates" -> null
          - name     = "self-signed-certificates" -> null
        }
    }

  # juju_integration.traefik_certificates[0] will be destroyed
  # (because index [0] is out of range for count)
  - resource "juju_integration" "traefik_certificates" {
      - id    = "tls:self-signed-certificates:certificates:traefik:certificates" -> null
      - model = "tls" -> null

      - application {
          - endpoint = "certificates" -> null
          - name     = "self-signed-certificates" -> null
        }
      - application {
          - endpoint = "certificates" -> null
          - name     = "traefik" -> null
        }
    }

  # module.ssc[0].juju_application.self-signed-certificates will be destroyed
  # (because module.ssc[0] is not in configuration)
  - resource "juju_application" "self-signed-certificates" {
      - config      = {} -> null
      - constraints = "arch=amd64" -> null
      - id          = "tls:self-signed-certificates" -> null
      - machines    = [] -> null
      - model       = "tls" -> null
      - model_type  = "caas" -> null
      - name        = "self-signed-certificates" -> null
      - placement   = "" -> null
      - trust       = false -> null
      - units       = 1 -> null

      - charm {
          - base     = "ubuntu@24.04" -> null
          - channel  = "1/edge" -> null
          - name     = "self-signed-certificates" -> null
          - revision = 308 -> null
          - series   = "noble" -> null
        }
    }

Plan: 0 to add, 0 to change, 7 to destroy.

Changes to Outputs:
  ~ components = {
      ~ ssc          = [
          - {
              - app_name = "self-signed-certificates"
              - provides = {
                  - certificates = "certificates"
                  - send-ca-cert = "send-ca-cert"
                }
              - requires = {
                  - tracing = "tracing"
                }
            },
        ]
        # (6 unchanged attributes hidden)
    }

Testing

Ref: traefik bundles

• Test TLS is working
  • The dashboards had some data (some panels were missing data, likely unrelated).
  • In traefik container
    • Get each of the ingress kube-dns names for each charm with ls -1 /opt/traefik/juju/ and inspect the YAML files
    • curl https://alertmanager-0.alertmanager-endpoints.tls-cos.svc.cluster.local:9093
    • echo | openssl s_client -showcerts -connect alertmanager-0.alertmanager-endpoints.tls.svc.cluster.local:9093 2>/dev/null | openssl x509 -text | grep -C 5 DNS
    • echo | openssl s_client -strict -verify_return_error -connect alertmanager-0.alertmanager-endpoints.tls.svc.cluster.local:9093 || echo "failed"
      • Repeat for each charm in the model
        • Prom
        • Loki
        • Alertmanager
        • Catalogue
    • juju run self-signed-certificates/0 get-ca-certificate | yq -r '.ca-certificate' > ssc.cert
      • curl -L --fail-with-body --capath $PWD --cacert ssc.cert https://192.168.88.12/tls-alertmanager/#/alerts

Related:

• feat: COS certificates integrations (e-2-e TLS) #60

[sed-i]

Due to canonical/traefik-k8s-operator#491 (comment), we need to pin SSC to rev308, but this is not exposed by COS Lite product module so we have to hardcode this in the cos-lite/main.tf in the ssc module

Created #55 to address revision pinning.

[sed-i]

All comments are non-blocking :)