Options for Production Controllers


Concerning production controllers, there are a few things I was hoping to get out in the open and get some input on, and possibly get into the docs as well.

  1. When deploying a controller, what are my options for SSL/TLS?

    • I see some bootstrap configs for lets-encrypt, and some config for what looks like manual key/cert specification. At first glance I’m not how to take advantage of these. Some docs/example on this would be super.
  2. What are my options for custom identity backends?

    • I have a feeling his may be something up and coming per the bootstrap-config description? Or possibly this is something I can take advantage of?

Maybe we build a table of what the possible controller deployment options are around the big features like identity backend options and ssl/fqdn configuration, possibly just a few solid example commands to go along with descriptions for these features would be great too. I would be happy to help out here in any way I can.


Juju Show #43 - Nov 28th 18:00 UTC
Managing Juju in Production - ToC

The documentation on configuring controllers (https://docs.jujucharms.com/2.4/en/controllers-config) does already have a big table with these values mentioned, although at the current time the ‘identity’ ones are marked as ‘not yet implemented’.

Some extra examples to go in the docs for specific use cases would be great though.


Thanks for the questions @jamesbeedy. I thought I had a blog post on using the let’s encrypt but while I used it for demos I don’t talk about that step in particular. I’ll setup a discourse post on it today.

For the external auth, well that’s build around JAAS and if you’d like to have a custom setup such as that you should engage with @uros-jovanovic around the on premises JAAS offerings.


I’ve put together a walk through on using Let’s Encrypt for a controller here:

One thing I’ve not played with is doing this over HA controllers and having HA failures/etc. I think that’s not as well tested as I tend to use it more for demos and when folks are running things in production they will use their own provided certificates vs let’s encrypt.


I’ve added a topic for deploying with external identity providers here:


@martin-hilton @rick_h thanks for your insight.

Looks like a combination of both is what I was after.

For those interested, the bootstrap command for my manual controller using jujucharms identity and lets-encrypt for ssl:

juju bootstrap manual/mycontroller@juju00.example.com juju-controller-manual \
    --config identity-url=https://api.jujucharms.com/identity \
    --config allow-model-access=true \
    --config autocert-dns-name=juju00.example.com \
    --bootstrap-series bionic


Awesome James.

Note that as of 2.4.2 you shouldn’t need to specify the bootstrap-series. It should be bionic by default. If you hit an issue let us know.


Hello @jamesbeedy, we are at this stage in our MAAS environment now and would appreciate some help. :slight_smile:

  1. Advice on how to integrate with an external identity providers (ubuntu one)
  2. How to co-exist with our Active Directory identity provider.
  3. Do we need to “chose wither one” or can we use many?

A few months ago, we were talking to @uros-jovanovic about this but at that time we were not in the knowledge-zone to be able to communicate our situation properly. That has changed now and we could possibly make a few first steps.


This should fall under “[docs] Examples needed for external identity configurations”.


This might fall under something like “Candid <-> Juju integration documentation” - although I’m not sure this is meant to be a publicly usable system (it may be a system canonical is developing for use of facilitating customers with this type of use case through contract… not really sure.

@martin-hilton @rogpeppe @cmars @uros-jovanovic ^

This may also fall under the Candid category.


I stepped though a tutorial on using Candid with LXD the other day, so it is starting to creep out of it’s repo as something that’s being offered for general use.


Does it make sense to use MAAS PODs for juju production controllers for MAAS?


Putting controllers in VMs in pods is definitely a fine way to go about things. You need to be careful as HA controllers only works well if they’re on different hardware so you’d need a few pods to spread them out into.


Thanx, we plan to have 3 pods per maas cloud.