Skip to content
This repository has been archived by the owner on Mar 4, 2024. It is now read-only.
/ interface-tls Public archive

The TLS charm interface written in layers and using the reactive framework.

2 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

juju-solutions/interface-tls

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
interface.yaml
interface.yaml
 
 
peers.py
peers.py
 
 

Repository files navigation

TLS interface

This is a Juju interface layer that handles the transport layer security (TLS) between charms of the same type (a.k.a. peers relation). Meaning the charms that use this layer can communicate securely with each other based on TLS certificates.

To get started please read the Introduction to PKI which defines some PKI terms, concepts and processes used in this document.

NOTE: It is important to point out that this interface does not do the actual work of issuing requests or signing certificates. The interface layer only handles the communication between the peers and the charm layer must react to the states correctly for this interface to work.

The layer-tls charm layer was created to implement this using the easy-rsa project. This interface could be implemented with other PKI technology tools (such as openssl commands) in other charm layers.

States

The interface layer emits several reactive states that a charm layer can respond to:

create certificate signing request

This is the start state that is generated when the peer relation is joined. A charm layer responding to this state should create a certificate signing request (CSR) and set the CSR on relation object using the set_csr(csr) method.

sign certificate signing request

Once the CSR is set on the relation, the leader will emit this
"sign certificate signing request" state that the charm layer can react to. The leader could then import the CSR and sign the CSR and set the signed certificate on the relation object using the 'set_cert(unit_name, certificate)' method. Here the unit_name uniquely identifies the signed certificate for each unit.

signed certificate available

Once the signed certificate is set on the relation, the interface layer will emit the "signed certificate available" state, indicating that the signed certificate is available to the charm layer in the unitdata with the key [unit-name]_signed_certificate. The charm layer can retrieve the certificate and use it in the code.

from charmhelpers.core import unitdata
database = unitdata.kv()
cert = database.get('tls.server.certificate')

Contact Information

Interface author: Matt Bruzek <Matthew.Bruzek@canonical.com> Contributor: Charles Butler <Charles.Butler@canonical.com> Contributor: Cory Johns <Cory.Johns@canonical.com>

About

The TLS charm interface written in layers and using the reactive framework.

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

7 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages