Add tls overlay (#80)

* Add tls overlay * Use juju 3.1/stable * Limit matrix test to juju 3.x * Relate traefik to external CA * Set distinct common names to both CAs * Parametrize pylibjuju --------- Co-authored-by: Simon Aronsson <[email protected]>
canonical · Oct 7, 2023 · fd3297b · fd3297b
1 parent a39ee6b
commit fd3297b
Show file tree

Hide file tree

Showing 13 changed files with 391 additions and 169 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -19,9 +19,9 @@ jobs:
         python: [3.8]
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Setup Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
       with:
         python-version: ${{ matrix.python }}
     - name: Install dependencies
@@ -35,22 +35,27 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Get prefsrc
       run: |
         echo "IPADDR=$(ip -4 -j route get 2.2.2.2 | jq -r '.[] | .prefsrc')" >> $GITHUB_ENV
     - name: Setup operator environment
       uses: charmed-kubernetes/actions-operator@main
       with:
-        juju-channel: 2.9/stable
+        juju-channel: 3.1/stable
         provider: microk8s
         channel: 1.25-strict/stable
         microk8s-addons: "hostpath-storage dns metallb:${{ env.IPADDR }}-${{ env.IPADDR }}"
+    - name: Update python-libjuju dependency to match juju version
+      # Assuming the dep is given on a separate tox.ini line
+      run: sed -E -i 's/^\s*juju\s*~=.+/    juju~=3.1.0/g' tox.ini
     - name: Run tests (edge channel)
       run: tox -e integration -- --channel=edge
     - name: Dump debug log
       if: failure()
-      run: for ctl in $(juju controllers --format json | jq -r '.controllers | keys[]'); do for mdl in $(juju models --format json | jq -r '.models[].name' | grep -v "admin/controller"); do juju debug-log -m $ctl:$mdl --replay --ms --no-tail; done; done || true
+      run: |
+        for ctl in $(juju controllers --format json | jq -r '.controllers | keys[]'); do for mdl in $(juju models --format json | jq -r '.models[].name' | grep -v "admin/controller"); do juju debug-log -m $ctl:$mdl --replay --ms --no-tail; done; done || true
+        exit 0
       shell: bash
   end-to-end-tests:
     # Must use Juju 3 to bootstrap both uk8s and lxd:https://bugs.launchpad.net/juju/+bug/2003582
@@ -66,7 +71,7 @@ jobs:
       - name: Setup lxd controller
         uses: charmed-kubernetes/actions-operator@main
         with:
-          juju-channel: 2.9/stable
+          juju-channel: 3.1/stable
           provider: lxd
       - name: Save lxd controller name
         id: lxd-controller
@@ -75,7 +80,7 @@ jobs:
       - name: Setup k8s controller
         uses: charmed-kubernetes/actions-operator@main
         with:
-          juju-channel: 2.9/stable
+          juju-channel: 3.1/stable
           provider: microk8s
           channel: 1.25-strict/stable
           microk8s-addons: "hostpath-storage dns metallb:${{ env.IPADDR }}-${{ env.IPADDR }}"
@@ -86,6 +91,8 @@ jobs:
       - name: Fix microk8s permissions
         run: |
           chmod -R ugo+rwX ~/.kube
+      - name: Update python-libjuju dependency to match juju
+        run: sed -E -i 's/^\s*juju\s*~=.+/    juju~=3.1.0/g' tox.ini
       - name: Run end-to-end tests
         run: tox run -vve e2e
         env:

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -32,7 +32,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

diff --git a/.github/workflows/matrix.yaml b/.github/workflows/matrix.yaml
@@ -15,26 +15,19 @@ jobs:
       fail-fast: false
       matrix:
         charm-channel: [ "edge", "beta", "candidate", "stable" ]
-        juju-channel: [ "2.9/stable", "3.2/stable" ]
+        juju-track: [ "3.1", "3.2" ]
         include:
-          - juju-channel: "2.9/stable"
-            juju-agent-version: "2.9.34"
+          - juju-track: "3.1"
+            juju-channel: "3.1/stable"
+            juju-agent-version: "3.1.5"
             microk8s-channel: "1.25/stable"
-          - juju-channel: "3.2/stable"
+          - juju-track: "3.2"
+            juju-channel: "3.2/stable"
             juju-agent-version: "3.2.0"
             microk8s-channel: "1.25-strict/stable"
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
-    - name: Figure out the pylibjuju version we need (must match juju version)
-      run: |
-        # Only keep major.minor of the installed juju version
-        echo "PYLIBJUJU=$(echo "${{ matrix.juju-agent-version }}" | sed 's/\([0-9]\+\.[0-9]\+\).*$/\1/')" >> $GITHUB_ENV
-    - name: Pin python-libjuju to the matching juju version
-      shell: bash
-      run: |
-        # Update pylibjuju pin in tox.ini, assuming the dep is given on a separate line
-        sed -E -i 's/    juju\s*[><=^~]{1,2}\s*[0-9]+.*/    juju~=${{ env.PYLIBJUJU }}/g' tox.ini
+      uses: actions/checkout@v3
     - name: Get prefsrc
       run: |
         echo "IPADDR=$(ip -4 -j route get 2.2.2.2 | jq -r '.[] | .prefsrc')" >> $GITHUB_ENV
@@ -46,6 +39,9 @@ jobs:
         channel: ${{ matrix.microk8s-channel }}
         microk8s-addons: "hostpath-storage dns metallb:${{ env.IPADDR }}-${{ env.IPADDR }}"
         bootstrap-options: "--agent-version ${{ matrix.juju-agent-version }}"
+    - name: Update python-libjuju dependency to match juju version
+      # Assuming the dep is given on a separate tox.ini line
+      run: sed -E -i 's/^\s*juju\s*~=.+/    juju~=${{ matrix.juju-track }}.0/g' tox.ini
     - name: Run tests (${{ matrix.charm-channel }} charms, juju ${{ matrix.juju-channel }}, microk8s ${{ matrix.microk8s-channel }})
       run: tox -e integration -- --channel=${{ matrix.charm-channel }}
     - name: Dump debug log

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -52,13 +52,12 @@ This would include a tester charm (avalanche) and an overlay section with offers
 Optionally, you may render the template with local charms, for example:
 
 ```shell
-./render_bundle.py bundle.yaml --testing=yes --channel=edge \
+./render_bundle.py bundle.yaml --channel=edge \
   --traefik=$(pwd)/../traefik-k8s-operator/traefik-k8s_ubuntu-20.04-amd64.charm \
   --prometheus=$(pwd)/../prometheus-k8s-operator/prometheus-k8s_ubuntu-20.04-amd64.charm \
   --alertmanager=$(pwd)/../alertmanager-k8s-operator/alertmanager-k8s_ubuntu-20.04-amd64.charm \
   --grafana=$(pwd)/../grafana-k8s-operator/grafana-k8s_ubuntu-20.04-amd64.charm \
-  --loki=$(pwd)/../loki-operator/loki-k8s-operator_ubuntu-20.04-amd64.charm \
-  --avalanche=$(pwd)/../avalanche-k8s-operator/avalanche-k8s_ubuntu-20.04-amd64.charm
+  --loki=$(pwd)/../loki-operator/loki-k8s-operator_ubuntu-20.04-amd64.charm
 ```
 
 #### Render template using tox
@@ -70,8 +69,7 @@ tox -e integration -- --keep-models -k test_build_and_deploy \
   --prometheus=$(pwd)/../prometheus-k8s-operator/prometheus-k8s_ubuntu-20.04-amd64.charm \
   --alertmanager=$(pwd)/../alertmanager-k8s-operator/alertmanager-k8s_ubuntu-20.04-amd64.charm \
   --grafana=$(pwd)/../grafana-k8s-operator/grafana-k8s_ubuntu-20.04-amd64.charm \
-  --loki=$(pwd)/../loki-operator/loki-k8s-operator_ubuntu-20.04-amd64.charm \
-  --avalanche=$(pwd)/../avalanche-k8s-operator/avalanche-k8s_ubuntu-20.04-amd64.charm
+  --loki=$(pwd)/../loki-operator/loki-k8s-operator_ubuntu-20.04-amd64.charm
 ```
 
 Now `juju switch` into the newly created model (or use `--model=MODEL` in
@@ -121,6 +119,5 @@ tox -e integration -- \
   --prometheus=$(pwd)/../prometheus-k8s-operator/prometheus-k8s_ubuntu-20.04-amd64.charm \
   --alertmanager=$(pwd)/../alertmanager-k8s-operator/alertmanager-k8s_ubuntu-20.04-amd64.charm \
   --grafana=$(pwd)/../grafana-k8s-operator/grafana-k8s_ubuntu-20.04-amd64.charm \
-  --loki=$(pwd)/../loki-operator/loki-k8s-operator_ubuntu-20.04-amd64.charm \
-  --avalanche=$(pwd)/../avalanche-k8s-operator/avalanche-k8s_ubuntu-20.04-amd64.charm
+  --loki=$(pwd)/../loki-operator/loki-k8s-operator_ubuntu-20.04-amd64.charm
 ```
diff --git a/README.md b/README.md
@@ -26,6 +26,13 @@ The Canonical Observability Stack is the go-to solution for monitoring Canonical
 With COS Lite now being generally available, we are now working on a highly-available, highly-scalable flavor. It will use many of the same components as COS Lite, plus some additional new ones, and provide the same overall user-experience, and focus on scalability, resilience and broad compatibility with Kubernetes distributions out there.
 
 ## Usage
+For traefik ingress to work, you may first need to enable the `metallb`
+microk8s addon. See the [tutorial] for full details.
+
+The `--trust` option is needed by the charms in the `cos-lite` bundle to be
+able to patch their K8s services to:
+- use the right ports (see this [Juju limitation](https://bugs.launchpad.net/juju/+bug/1936260))
+- apply resource limits
 
 Before deploying the bundle you will most likely want to create a dedicated model for it:
 
@@ -34,44 +41,75 @@ $ juju add-model cos
 $ juju switch cos
 ```
 
+### Deploy from charmhub
 You can deploy the bundle from charmhub with:
 
 ```shell
 $ juju deploy cos-lite --trust
 ```
 
-or, to deploy the bundle from a local file:
+
+### Deploy using this repo
+To deploy the bundle from a local file:
 
+```shell
+# render bundle with "edge" charms
+$ tox -e render-edge
+
+$ juju deploy ./bundle.yaml --trust
+```
+
+
+### Deploy for testing
+```shell
+tox -e render-edge
+juju deploy ./bundle.yaml --trust \
+  --overlay overlays/tls-overlay.yaml \
+  --overlay overlays/testing-overlay.yaml
+```
+
+
+### Deploy for testing with local charms
 ```shell
 # generate and activate a virtual environment with dependencies
 $ tox -e integration --notest
 $ source .tox/integration/bin/activate
 
-# render bundle with default values
-$ ./render_bundle.py bundle.yaml
+# render bundle, overriding charm paths
+$ ./render_bundle.py bundle.yaml --channel=edge \
+  --traefik=$(pwd)/../path/to/traefik.charm \
+  --prometheus=$(pwd)/../path/to/prometheus.charm \
+  --alertmanager=$(pwd)/../path/to/alertmanager.charm \
+  --grafana=$(pwd)/../path/to/grafana.charm \
+  --loki=$(pwd)/../path/to/loki.charm
+
+# deploy rendered bundle
 $ juju deploy ./bundle.yaml --trust
 ```
 
-Note: for traefik ingress to work, you may first need to enable the `metallb`
-microk8s addon. See the
-[tutorial](https://charmhub.io/topics/canonical-observability-stack/tutorials/install-microk8s)
-for full details.
-
-The `--trust` option is needed by the charms in the `cos-lite` bundle to be
-able to patch their K8s services to:
-- use the right ports (see this [Juju limitation](https://bugs.launchpad.net/juju/+bug/1936260))
-- apply resource limits
 
+### Overlays
 We also make available some [**overlays**](https://juju.is/docs/sdk/bundle-reference) for convenience:
 
-* the [`offers` overlay](https://raw.githubusercontent.com/canonical/cos-lite-bundle/main/overlays/offers-overlay.yaml) exposes as offers the relation endpoints of the COS Lite charms that are likely to be consumed over [cross-model relations](https://juju.is/docs/olm/cross-model-relations).
-* the [`storage-small` overlays](https://raw.githubusercontent.com/canonical/cos-lite-bundle/main/overlays/storage-small-overlay.yaml) provides a setup of the various storages for the COS Lite charms for a small setup.
-  Using an overlay for storage is fundamental for a productive setup, as you cannot change the amount of storage assigned to the various charms after the deployment of COS Lite.
+- [`offers`](overlays/offers-overlay.yaml): exposes as
+  offers the relation endpoints of the COS Lite charms that are likely to be
+  consumed over [cross-model relations].
+- [`storage-small`](overlays/storage-small-overlay.yaml):
+  provides a setup of the various storages for the COS Lite charms for a small
+  setup. Using an overlay for storage is fundamental for a productive setup, as
+  you cannot change the amount of storage assigned to the various charms after
+  the deployment of COS Lite.
+- [`tls`](overlays/tls-overlay.yaml): adds an internal CA to encrypt all
+  inter-workload communications.
+- [`testing`](overlays/testing-overlay.yaml): adds avalanche relation to
+  prometheus and a watchdog alert (always firing) to test prometheus and
+  alertmanager.
 
 In order to use the overlays above, you need to:
 
 1. Download the overlays (or clone the repository)
-2. Pass the `--overlay <path-to-overlay-file-1> --overlay <path-to-overlay-file-2> ...` arguments to the `juju deploy` command
+2. Pass the `--overlay <path-to-overlay-file-1> --overlay <path-to-overlay-file-2> ...`
+   arguments to the `juju deploy` command
 
 For example, to deploy the COS Lite bundle with the offers overlay, you would do the following:
 
@@ -84,10 +122,15 @@ To use COS Lite with machine charms, see
 [cos-proxy](https://charmhub.io/cos-proxy)
 ([source](https://github.com/canonical/cos-proxy-operator)).
 
+
 ## Publishing
 ```shell
 $ tox -e render-edge  # creates bundle.yaml
 $ charmcraft pack
 $ charmcraft upload cos-lite.zip
 $ charmcraft release cos-lite --channel=edge --revision=4
 ```
+
+
+[cross-model relations]: https://juju.is/docs/olm/cross-model-relations
+[tutorial]: https://charmhub.io/topics/canonical-observability-stack/tutorials/install-microk8s
diff --git a/bundle.yaml.j2 b/bundle.yaml.j2
@@ -14,7 +14,7 @@ applications:
     trust: true
     {%- if traefik is defined and traefik.endswith('.charm') %}
     resources:
-        traefik-image: "jnsgruk/traefik:2.7.0"
+        traefik-image: "ghcr.io/canonical/traefik:2.10.4"
     {%- else %}
     channel: {{ channel|default('edge', true) }}
     {%- endif %}
@@ -24,7 +24,7 @@ applications:
     trust: true
     {%- if alertmanager is defined and alertmanager.endswith('.charm') %}
     resources:
-        alertmanager-image: "ubuntu/prometheus-alertmanager:0.23-22.04_beta"
+        alertmanager-image: "ghcr.io/canonical/alertmanager:0.25.0"
     {%- else %}
     channel: {{ channel|default('edge', true) }}
     {%- endif %}
@@ -34,7 +34,7 @@ applications:
     trust: true
     {%- if prometheus is defined and prometheus.endswith('.charm') %}
     resources:
-      prometheus-image: "ubuntu/prometheus:2.33-22.04_beta"
+      prometheus-image: "ghcr.io/canonical/prometheus:dev"
     {%- else %}
     channel: {{ channel|default('edge', true) }}
     {%- endif %}
@@ -44,8 +44,8 @@ applications:
     trust: true
     {%- if grafana is defined and grafana.endswith('.charm') %}
     resources:
-      grafana-image: "ubuntu/grafana:9.2-22.04_beta"
-      litestream-image: "litestream/litestream:0.4.0-beta.2"
+      grafana-image: "docker.io/ubuntu/grafana:9.2-22.04_beta"
+      litestream-image: "docker.io/litestream/litestream:0.4.0-beta.2"
     {%- else %}
     channel: {{ channel|default('edge', true) }}
     {%- endif %}
@@ -55,7 +55,7 @@ applications:
     trust: true
     {%- if catalogue is defined and catalogue.endswith('.charm') %}
     resources:
-      catalogue-image: "ghcr.io/canonical/catalogue-k8s"
+      catalogue-image: "ghcr.io/canonical/catalogue-k8s-operator:latest"
     {%- else %}
     channel: {{ channel|default('edge', true) }}
     {%- endif %}
@@ -71,7 +71,7 @@ applications:
     trust: true
     {%- if loki is defined and loki.endswith('.charm') %}
     resources:
-      loki-image: "grafana/loki:2.4.1"
+      loki-image: "ghcr.io/canonical/loki:2.7.4"
     {%- else %}
     channel: {{ channel|default('edge', true) }}
     {%- endif %}

diff --git a/overlays/testing-overlay.yaml b/overlays/testing-overlay.yaml
@@ -0,0 +1,33 @@
+applications:
+  alertmanager:
+    scale: 2
+    # Set low resource requests to accommodate small VMs
+    options:
+      cpu: 1m
+      memory: 1Mi
+  prometheus:
+    # Set low resource requests to accommodate small VMs
+    options:
+      cpu: 1m
+      memory: 1Mi
+  grafana:
+    # Set low resource requests to accommodate small VMs
+    options:
+      cpu: 1m
+      memory: 1Mi
+  loki:
+    # Set low resource requests to accommodate small VMs
+    options:
+      cpu: 1m
+      memory: 1Mi
+  avalanche:
+    charm: avalanche-k8s
+    channel: edge
+    scale: 2
+    trust: true
+    options:
+      metric_count: 10
+      series_count: 2
+
+relations:
+  - [avalanche:metrics-endpoint, prometheus]
diff --git a/overlays/tls-overlay.yaml b/overlays/tls-overlay.yaml
@@ -0,0 +1,29 @@
+applications:
+  ca:
+    charm: self-signed-certificates
+    channel: edge
+    scale: 1
+    options:
+      ca-common-name: ca.demo.local
+  external-ca:
+    # This charm needs to be replaced with a real CA charm.
+    # Use `juju refresh --switch` to replace via a "crossgrade refresh".
+    charm: self-signed-certificates
+    channel: edge
+    scale: 1
+    options:
+      ca-common-name: external-ca.example.com
+
+relations:
+ # This is a more general CA (e.g. root CA) that signs traefik's own CSR.
+ - [external-ca, traefik:certificates]
+
+  # This is the local CA that signs CSRs from COS charms (excluding traefik).
+  # Traefik is trusting this CA so that it could load balance via TLS.
+ - [ca, traefik:receive-ca-cert]
+
+ - [ca, alertmanager:certificates]
+ - [ca, prometheus:certificates]
+ - [ca, grafana:certificates]
+ - [ca, loki:certificates]
+ - [ca, catalogue:certificates]