Manage your JAAS deployment¶
Deploy JAAS¶
Note
In order to deploy JAAS and all its components you must use a Juju controller with a minimum version of 3.x.
In order to interact with JAAS as a user, you must use a Juju CLI with a minimum version of 3.5.4.
JAAS supports Juju controllers with a minimum version 3.4.
TBA (for now please see the tutorial)
Create a JIMM controller admin¶
Prerequisites¶
For this how-to you will need the following:
A basic understanding of JAAS tags, see Tag.
A running JAAS environment, see the tutorial.
An understanding of Juju permissions, see the Juju docs.
Creating an admin user¶
In order to create an initial admin user we must use the config option controller-admins.
The format for controller-admins is a space separated list of email addresses or service accounts. This means
that entries can be of the form name@domain.com or client-id@serviceaccount.
Run the following command replacing the contents with your email address to configure your user as a JIMM admin.
juju config jimm controller-admins="[email protected]"
Tip
See also: Charmhub | juju-jimm-k8s > Configurations > controller-admin
Now you can verify that you have admin access to JIMM using jimmctl.
If you do not have jimmctl installed, you can do so with the following command:
sudo snap install jimmctl --channel=3/stable
The following commands are particularly useful for interacting with controllers.
jimmctl controllers
jimmctl audit-events
In a fresh setup, the first should return an empty list, showing that no controllers have been added to JIMM.
The second command returns a list of audited events that JIMM has recorded. More information on JIMM’s audit log feature is available at the following jimmctl audit-events details.
Integrate JAAS with the Canonical Observability Stack¶
This document shows how to integrate the different components of JAAS with the Canonical Observability Stack to enable pre-configured dashboards and alerting rules.
The Canonical Observability Stack is a Juju bundle that includes a series of open source observability applications and related automation. For the complete list of components in COS, read the Component List.
Prerequisites¶
A running
COS-Litebundle. You can follow the Getting started on MicroK8s. tutorial to get you started. Make sure to follow the section Deploy the COS Lite bundle with overlays section to create offers.A running JAAS. Please refer to the deployment the tutorial.
Tip
Juju offers are a way of sharing software as a service between models. Make sure you deploy COS and setup offers so that you can relate to it across models.
It is generally recommended to keep the observability stack separate from any observed applications to separate failure domains. This document assumes that JAAS and the COS bundle are deployed to different models.
This how-to assumes that Vault and PostgreSQL are deployed alongside JIMM and OpenFGA. Depending on your approach, this may not be true. Additionally this how-to assumes the names of the deployed applications, which might differ in your environment.
Integration approaches¶
There are 2 possible integration approaches depending on your networking / deployment setup:
If you are able to send metrics and logs directly to the observability platform components follow the Integrate JAAS with COS-Lite section
If you prefer using a telemetry collector component follow the Integrate JAAS with COS-Lite through Grafana-Agent section
Integrate JAAS with COS-Lite¶
Grafana integration¶
Assuming you deployed the COS-Lite bundle in model cos-model with user admin, use the following
commands to integrate the JAAS applications by means of an application offer.
juju integrate jimm admin/cos-model.grafana-dashboards
juju integrate openfga admin/cos-model.grafana-dashboards
juju integrate postgresql admin/cos-model.grafana-dashboards
juju integrate vault admin/cos-model.grafana-dashboards
Loki integration¶
Assuming you deployed the COS-Lite bundle in model cos-model with user admin, use the following commands to integrate JAAS by means of an application offer.
juju integrate jimm admin/cos-model.loki-logging
juju integrate openfga admin/cos-model.loki-logging
juju integrate postgresql admin/cos-model.loki-logging
juju integrate vault admin/cos-model.loki-logging
Prometheus integration¶
Assuming you deployed the COS-Lite bundle in model cos-model with user admin, use the following commands to integrate JAAS by means of an application offer.
juju integrate jimm admin/cos-model.prometheus-scrape
juju integrate openfga admin/cos-model.prometheus-scrape
juju integrate postgresql admin/cos-model.prometheus-scrape
juju integrate vault admin/cos-model.prometheus-scrape
Integrate JAAS with COS-Lite through Grafana-Agent¶
You first need to deploy the Grafana-Agent operator, which is a telemetry collector used to aggregate and push information to the COS-lite bundle.
Tip
Note that you may perform some relations directly with the COS applications. E.g. the Grafana relation shares any dashboards from the charm to Grafana. This relation should be done as described in the previous section.
To deploy Grafana-Agent run:
juju deploy grafana-agent-k8s --channel latest/stable --trust
Forward Prometheus metrics¶
Integrate Grafana-Agent with JAAS by running the following commands:
juju integrate grafana-agent-k8s jimm:metrics-endpoint
juju integrate grafana-agent-k8s openfga:metrics-endpoint
juju integrate grafana-agent-k8s postgresql:metrics-endpoint
juju integrate grafana-agent-k8s vault:metrics-endpoint
Forward Loki metrics¶
Integrate Grafana-Agent with JAAS by running the following commands:
juju integrate grafana-agent-k8s jimm:logging
juju integrate grafana-agent-k8s openfga:log-proxy
juju integrate grafana-agent-k8s postgresql:logging
juju integrate grafana-agent-k8s vault:logging
Integrate Grafana-Agent with COS-Lite¶
Assuming you deployed the COS-Lite bundle in model cos-model with user admin,
use this command to integrate the Grafana-Agent with Prometheus by means of an application offer.
juju integrate grafana-agent-k8s admin/cos-model.prometheus-receive-remote-write
Assuming you deployed the COS-Lite bundle in model cos-model with user admin,
use this command to integrate the Grafana-Agent with Loki by means of an application offer.
juju integrate grafana-agent-k8s admin/cos-model.loki-logging
Access the dashboards¶
You can get the Grafana IP address with the juju status command.
The default port for the Grafana HTTP server is 3000.
The default credentials are:
Username: admin
Password: you can get the password with the juju action
get-admin-password.
Once in, you will see a vertical menu bar on the left side of the page. You will find the available alerts by clicking on the Alerting menu. You will find the available dashboards by clicking on the Dashboards menu
Equip your JAAS deployment with TLS ingress¶
The NGINX Ingress Integrator is a charm responsible for creating Kubernetes ingress rules, these rules can be hardened via TLS and the charm provides a means to do so. See here.
Our LEGO charms provide certificates for charms from a desired ACME server and can be integrated with the integrator to enable TLS at the ingress level. See here.
You will require a domain that your ACME is aware of and an NGINX ingress controller installed on your Kubernetes cluster.
With JAAS deployed, you can deploy both LEGO and the integrator, and integrate your LEGO charm deployment to your ingress integrator, and then the ingress integrator to JIMM to enable TLS ingress for your deployment.
Integrate JAAS with the Juju dashboard¶
Juju dashboard is a web UI that is intended to supplement the CLI experience with aggregate views and at a glance health checks.
This how-to provides you with instructions on how to setup Juju Dashboard for your JAAS deployment.
Tip
To explore Juju Dashboard features you can go here.
Prerequisites¶
For this how-to you will need the following:
A running JAAS environment, see the tutorial.
Deploy Juju Dashboard¶
First deploy the Juju Dashboard charm.
juju switch <model_where_jimm_is>
juju deploy juju-dashboard-k8s dashboard
juju integrate dashboard jimm-app
Then you need to expose your dashboard through an ingress.
Tip
You can follow Equip your JAAS deployment with TLS ingress to add TLS to your ingress.
juju deploy nginx-ingress-integrator dashboard-ingress
juju integrate dashboard dashboard-ingress
juju config dashboard-ingress service-hostname="<https://hostname>""
You will visit your dashboard at https://hostname.
Now you need to configure JIMM to accept requests coming from https://hostname.
juju config jimm-app cors-allowed-origins="https://hostname"
juju config jimm-app juju-dashboard-location="https://hostname"
Now go to https://hostname, sign in through the identity provider you setup during JAAS deployment, and you are in the dashboard.
Harden your deployment¶
Configure JIMM to use CORS using the configuration option cors-allowed-origins.
Integrate JIMM with Self-Signed Certificates using the receive-ca-cert relation endpoint.
Enable TLS for PostgreSQL.
See more: Charmhub | PostgreSQL K8s > Enable TLS