Skip to content

feat: Add TLS modes with a How-to doc#71

Merged
MichaelThamm merged 16 commits intomainfrom
feat/tls-termination
Jul 10, 2025
Merged

feat: Add TLS modes with a How-to doc#71
MichaelThamm merged 16 commits intomainfrom
feat/tls-termination

Conversation

@MichaelThamm
Copy link
Copy Markdown
Contributor

@MichaelThamm MichaelThamm commented Jul 4, 2025
edited
Loading

Fixes #61, canonical/observability#273

Related:

Warning

Due to this issue, we cannot validate ingress with TLS -> curl -k https://INGRESS_IP/cos-catalogue:

Features

  • TF root module for deploying SSC integrated with COS/COS Lite's Traefik via CMR.
  • Conditionally enable TLS termination depending on the existence of a CA's offer URL
  • Replace the TLS diagram with a mermaid diagram

This enables integrating either the manual TLS certificates charm or self-signed-certificates with COS to provide certificates to Traefik.

Tip

Traefik has config options for: tls-ca, tls-cert, tls-key which overrides the certs from the integration. This is tecnically no longer needed, but is still convenient. FYI we limit the certificates relation count to 1 in Traefik.

Juju status differences

Note

I tested this for COS as well. I just prove COS Lite since it's less LOC

Relevant end-to-end TLS model components:

+   self-signed-certificates:
+     charm: self-signed-certificates
+     channel: 1/stable
+     revision: 317
+     scale: 1
+     constraints: arch=amd64

+ - - traefik:certificates
+   - certificates:certificates
+ - - catalogue:certificates
+   - self-signed-certificates:certificates
+ - - loki:certificates
+   - self-signed-certificates:certificates
+ - - alertmanager:certificates
+   - self-signed-certificates:certificates
+ - - prometheus:certificates
+   - self-signed-certificates:certificates
+ - - grafana:certificates
+   - self-signed-certificates:certificates
+ - - traefik:receive-ca-cert
+   - self-signed-certificates:send-ca-cert

Relevant reverse-tls-termination model components:

+   self-signed-certificates:
+     charm: self-signed-certificates
+     channel: 1/stable
+     revision: 317
+     scale: 1
+     constraints: arch=amd64

- - - traefik:certificates
-   - certificates:certificates
+ - - catalogue:certificates
+   - self-signed-certificates:certificates
+ - - loki:certificates
+   - self-signed-certificates:certificates
+ - - alertmanager:certificates
+   - self-signed-certificates:certificates
+ - - prometheus:certificates
+   - self-signed-certificates:certificates
+ - - grafana:certificates
+   - self-signed-certificates:certificates
+ - - traefik:receive-ca-cert
+   - self-signed-certificates:send-ca-cert

Relevant only tls-termination model components:

-   self-signed-certificates:
-     charm: self-signed-certificates
-     channel: 1/stable
-     revision: 317
-     scale: 1
-     constraints: arch=amd64

+ - - traefik:certificates
+   - certificates:certificates
- - - catalogue:certificates
-   - self-signed-certificates:certificates
- - - loki:certificates
-   - self-signed-certificates:certificates
- - - alertmanager:certificates
-   - self-signed-certificates:certificates
- - - prometheus:certificates
-   - self-signed-certificates:certificates
- - - grafana:certificates
-   - self-signed-certificates:certificates
- - - traefik:receive-ca-cert
-   - self-signed-certificates:send-ca-cert

Relevant unencrypted model components:

-   self-signed-certificates:
-     charm: self-signed-certificates
-     channel: 1/stable
-     revision: 317
-     scale: 1
-     constraints: arch=amd64

- - - traefik:certificates
-   - certificates:certificates
- - - catalogue:certificates
-   - self-signed-certificates:certificates
- - - loki:certificates
-   - self-signed-certificates:certificates
- - - alertmanager:certificates
-   - self-signed-certificates:certificates
- - - prometheus:certificates
-   - self-signed-certificates:certificates
- - - grafana:certificates
-   - self-signed-certificates:certificates
- - - traefik:receive-ca-cert
-   - self-signed-certificates:send-ca-cert

TODO

  • Merge my SSC fork
  • Check if Traefik can handle certificates integration and config options
  • Remove all TODO/FIXMEs in docs
    • Replace traefik_channel back to latest/stable once Traefik is backwards compatible (related to this PR)

Testing

Juju

Create a root module file something.tf:

# Note: The deployment order matters since the 'traefik:certificates' integration depends on 'module.ssc'
#   'terraform apply -target module.ssc'
#   'terraform apply'

module "ssc" {
  source = "git::https://github.com/canonical/self-signed-certificates-operator//terraform
  model  = "external-ca"
}

module "cos-lite" {
  source                          = "git::https://github.com/canonical/observability-stack//terraform/cos?ref=feat/tls-termination"
  model                           = "cos"
  channel                         = "1/stable"
  traefik_channel                 = "latest/edge"
  internal_tls                    = true  # Set to 'false' to disable intra-model TLS
  external_certificates_offer_url = module.ssc.offers.certificates.url  # Set to 'null' or remove this line to communicate with Traefik via HTTP
}

terraform {
  required_version = ">= 1.5"
  required_providers {
    juju = {
      source  = "juju/juju"
      version = ">= 0.14.0"
    }
  }
}

Documentation

  1. git checkout feat/tls-termination
  2. cd docs
  3. make run
  4. Inspect the docs pages at http://0.0.0.0:8000/how-to/configure-tls-encryption

Manual TLS

Documentation

This PR changes this TLS explanation doc to be a How-to doc with sample TF modules. This doc uses Sphinx tabs to only display one TLS mode at a time for COS or COS Lite:

image

This is the rendered mermaid diagram of the default TLS architecture:

image

This was referenced Jul 4, 2025
Merged
Closed
@MichaelThamm MichaelThamm marked this pull request as ready for review July 7, 2025 23:38
lucabello
lucabello approved these changes Jul 8, 2025
View reviewed changes
Comment thread docs/how-to/configure-tls-encryption.md Outdated
Comment thread docs/how-to/configure-tls-encryption.md
Comment thread docs/how-to/cos-lite-tls.tf Outdated
Comment thread docs/how-to/cos-tls.tf Outdated
simskij
simskij approved these changes Jul 8, 2025
View reviewed changes
Comment thread docs/how-to/configure-tls-encryption.md
Comment thread terraform/cos/variables.tf
@MichaelThamm MichaelThamm merged commit 6f75c4e into main Jul 10, 2025
5 checks passed
@MichaelThamm MichaelThamm deleted the feat/tls-termination branch July 10, 2025 17:55
MichaelThamm added a commit that referenced this pull request Jul 11, 2025
@MichaelThamm
feat: Add TLS modes with a How-to doc (#71)
9516b50 
* feat: TLS modes with documentation
@MichaelThamm MichaelThamm mentioned this pull request Jul 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simskij simskij simskij approved these changes

@lucabello lucabello lucabello approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add TLS Termination options for COS and COS Lite in Terraform

3 participants

@MichaelThamm @simskij @lucabello