Security with X.509 certificates
X.509 certificates are vital in the security of many Internet protocols, including TLS/SSL. If your charm workload communicates over HTTPS, you most likely need these certificates. Within the Juju ecosystem, the tls-certificates charm relation interface handles X.509 certificate creation, renewal, and revocation.
Contents:
- Understanding your X.509 certificates requirements
- (For charm authors:) Implementing the tls-certificates relation in your charm
- Still have questions?
Understanding your X.509 certificates requirements
To meet your X.509 certificate needs, start by answering the following questions. Your answers will help you decide whether you need to implement the tls-certificates interface in your charm and which TLS provider to use.
- Question 1: Where should your TLS connection be terminated?
- Question 2: What type of certificates do you need?
- Question 3: How do you get your signed certificates ?
Question 1: Where should your TLS connection be terminated?
At the ingress level
In contexts where X.509 certificates are necessary to ensure HTTPS communication with users or systems outside of the Juju model where the application is deployed, it is recommended to use an ingress controller like Traefik. Traefik handles TLS connection termination, sending decrypted data to your application, so your application charm does not need to manage X.509 certificates. Implementing the ingress integration is all that’s required as Traefik already supports the tls-certificates interface.
At the application level
For use cases where HTTPS communication is done inside of the Juju model, TLS connections will need to be terminated at the application level. This requires implementing the requirer side of the tls-certificates-interface in your charm. A typical example is enabling various units of a PostgreSQL cluster to communicate via TLS.
The upcoming questions will help you choose the most appropriate TLS provider for a TLS connection terminated at application level.
Question 2: What type of certificates do you need?
Signed Certificates
Essential for most production deployments. If this applies to you, proceed to question 3.
Self-signed certificates
Ideal for development and non-production environments. In these cases, look no further. The self-signed-certificates operator provides self-signed certificates in the charm ecosystem. Upon deployment, the self-signed-certificates operator generates a private key and a Certificate Authority (CA) certificate (that is not signed by any authority). The operator signs each certificate request it receives using this self-signed CA certificate.
If this applies to you, ignore question 3.
Question 3: How do you get your signed certificates ?
Using Let’s Encrypt (or another ACME server)
Utilize the LEGO charm operator to request certificates using the ACME protocol using your preferred DNS provider. We currently maintain:
The ACME server will validate domain ownership using the DNS-01 challenge. If your DNS provider is not supported, let us know and we can help support it. For more information about using the Let’s Encrypt operators in your charm, read this post.
Through a manual process
If your organization has a manual process for managing certificates, consider the manual-tls-certificates operator, which supports actions to list certificate requests, retrieve signing requests, and supply manually obtained certificates.
From Vault
Vault is a very popular secret management software. Both the Kubernetes and Machine versions of the charm can be used as intermediate Certificate Authority to provide certificates in the Juju ecosystem.
(For charm authors:) Implementing the tls-certificates relation in your charm
The tls-certificates
charm integration interface is used by charms providing and requiring X.509 certificates. The tls-certificates-interface library is used to handle most of this heavy lifting for both requirers and providers of the tls-certificate integration.
As we saw on question 1, if your TLS connection should be terminated at the application level, the requirer side of the tls-certificates
integration needs to be implemented in your charm. Then, you just need to integrate your charm with the TLS provider operator of your choice, according to your answers to questions 2 and 3.
For more information about implementing this library in your charm, look at the documentation.
Still have questions?
Meet the community and chat with us on Matrix.
Last updated 7 days ago.