Support HTTPS in loadBalancer servers

[Abuelodelanada]

Enhancement Proposal

To fully support the TLS story (see canonical/cos-lite-bundle#75) the charm needs to conditionally render HTTP or HTTPS.

Right now when a relation to Alertmanager is established in TLS mode, the config file still says HTTP:

root@traefik-0:/opt/traefik/juju# cat juju_ingress_ingress_6_alertmanager.yaml
http:
  routers:
    juju-cos-alertmanager-router:
      entryPoints:
      - web
      rule: PathPrefix(`/cos-alertmanager`)
      service: juju-cos-alertmanager-service
    juju-cos-alertmanager-router-tls:
      entryPoints:
      - websecure
      rule: PathPrefix(`/cos-alertmanager`)
      service: juju-cos-alertmanager-service
      tls:
        domains:
        - main: 192.168.122.10
          sans:
          - '*.192.168.122.10'
  services:
    juju-cos-alertmanager-service:
      loadBalancer:
        servers:
        - url: http://alertmanager-0.alertmanager-endpoints.cos.svc.cluster.local:9093

See also:

traefik-k8s-operator/src/charm.py

Line 766 in 55ab267

lb_servers = [{"url": f"http://{data['host']}:{data['port']}"}]

traefik-k8s-operator/src/charm.py

Lines 780 to 785 in 55ab267

	if self._routing_mode is _RoutingMode.path:
	route_rule = f"PathPrefix(`/{prefix}`)"
	url = f"http://{host}:{self._port}/{prefix}"
	else: # _RoutingMode.subdomain
	route_rule = f"Host(`{prefix}.{host}`)"
	url = f"http://{prefix}.{host}:{self._port}/"

traefik-k8s-operator/src/charm.py

Line 845 in 55ab267

lb_servers = [{"url": f"http://{data['host']}:{data['port']}"}]

You can reproduce the situation using this bundle:

# # Deploy bundle
# juju deploy --trust ./bundle.yaml
#
# # Obtain IP addresses
# IPADDR=$(juju status --format json trfk | jq -r '.applications.trfk.address')
# IPADDR0=$(juju status --format json am | jq -r '.applications.am.units."am/0".address')
# IPADDR1=$(juju status --format json am | jq -r '.applications.am.units."am/1".address')
# IPADDR2=$(juju status --format json am | jq -r '.applications.am.units."am/2".address')
#
# # Make sure traefik external-hostname is locally routable
# echo "$IPADDR cluster.local" | sudo tee -a /etc/hosts
#
# # Make sure charm code created web-config, cert and key files
# juju ssh --container alertmanager am/0 ls /etc/alertmanager/
#
# # Inspect server cert and confirm `X509v3 Subject Alternative Name` field is as expected
# echo | openssl s_client -showcerts -servername cluster.local -connect cluster.local 2>/dev/null | openssl x509 -inform pem -noout -text
#
# # Save CA cert locally
# juju show-unit am/0 --format yaml | yq '.am/0."relation-info"[0]."local-unit".data.ca' > /tmp/cacert.pem
#
# # Confirm traefik ingress has `https` for alertmanager's server url
# juju ssh --container traefik trfk/0 cat /opt/traefik/juju/juju_ingress_ingress_6_am.yaml
#
# # Confirm alertmanager TLS endpoint reachable
# curl --fail-with-body --capath /tmp --cacert /tmp/cacert.pem https://cluster.local/tlstest-am-0/-/ready

---
bundle: kubernetes
applications:
  am:
    charm: ./alertmanager-k8s_ubuntu-20.04-amd64.charm
    series: focal
    scale: 3
    trust: true
    resources:
      alertmanager-image: ubuntu/prometheus-alertmanager:0.23-22.04_beta
    options:
      web_external_url: https://alertmanager.local
  ca:
    charm: self-signed-certificates
    channel: edge
    scale: 1
  trfk:
    charm: traefik-k8s
    channel: edge
    scale: 1
    options:
      external_hostname: cluster.local
relations:
- [am:certificates, ca:certificates]
- [trfk:certificates, ca:certificates]
- [am:ingress, trfk]

[sed-i]

Potential options:

Add field

Add another field to reldata: "scheme": "https".
Backwards compat: if missing, use "http".

Change reldata from parts to full URL

Instead of "hostname" use "url".

[PietroPasotti]

we're going to be adding an optional app data field with the scheme

[PietroPasotti]

Fixed in #200