Show and Tell: New MAAS TLS feature

Today, Anton introduces the new MAAS TLS feature set. Please be sure to leave comments and questions below.

https://drive.google.com/file/d/1Hmsklm1g08CP4wJAOSAIO1FlDHVzGb0s/view?usp=sharing

Here is a PDF copy of the presentation:

https://drive.google.com/file/d/17ospohblBMynXoxOKhLe6iPi2FNbPx2G/view?usp=sharing

And here are before and after diagrams of the MAAS architecture, relevant to the TLS changes:

https://drive.google.com/file/d/1agLQBf0TKcDE9l2W_hgWROINT9I6FKWk/view?usp=sharing

https://drive.google.com/file/d/1l8k7B4c9b5ehfdlmPlPw5jqqkOuk6uWI/view?usp=sharing

Enjoy!

2 Likes

During the demo session I’ve encountered an issue with CLI failing to work with enabled TLS.

After further investigation I discovered that issue was related to anonymous access not using provided CA certs. The bug is already fixed but not released yet.

Current workaround:

  1. It works just fine if API key is provided
  2. You can add CA certs into your trusted root, then it should be picked up by CLI

I enabled TLS, and was able to get the maas login command to work using the API key workaround

I am now trying to use juju bootstrap with MAAS, and I am being presented with an error similar to the one that occurred in the maas login command:

juju bootstrap --bootstrap-series=focal --constraints tags=juju maas-one maas-controller

Installing Juju machine agent
2022-08-02 21:06:00 INFO juju.cmd supercommand.go:56 running jujud [2.9.32 917a8f1033561ce28a73ff81d71da75aec6e0785 gc go1.18.3]
ERROR Get “https://mysite.edu/MAAS/api/2.0/version/”: x509: certificate signed by unknown authority
ERROR failed to bootstrap model: subprocess encountered error code 1

Do you know a similar workaround for this? Does the unreleased bugfix resolve this issue?

For now I am going to attempt to follow this guide to add CA certs into the trusted root of the Juju server when it is initialized https://discourse.charmhub.io/t/add-extra-system-certificate-authorities-during-juju-bootstrap-add-machine/2278

When you run juju bootstrap it makes a call to MAAS API and since MAAS presents a self-signed certificate it fails to validate it.

Unfortunately right now it is impossible to pass CA certs to juju CLI, but adding CA to a trusted root should work.

Gotcha, I was able to successfully run juju bootstrap by creating a configuration file called juju-cloud-config.yml with the following contents:

cloudinit-userdata: |
    ca-certs:
        trusted:
            - |
                <INSERT CERTIFICATE HERE>

I then ran:
juju bootstrap --bootstrap-series=focal --config=juju-cloud-config.yml --constraints tags=juju maas-one maas-controller

I believe this added the certification to the juju server during the bootstrap process, which allowed it to validate with the MAAS API

Post that helped me with this:

2 Likes