Sharing environments - a proposal

John Meinel john at arbash-meinel.com
Thu May 29 14:38:24 UTC 2014 

that makes it easy for Eric to connect to the environment.  Now ideally

> where we'd like to get to is the following:
>
>    juju connect eric@<api-endpoint> [<env uuid>]
>
> ...


> PROBLEM: right now all connections to the api server are secured with
> TLS and the client-cert.
>

I'm pretty sure none of them use client certs. What they use is a
certificate that is signed by a environment-specific CA. So we use the
CACert to validate that the API server's certificate is valid, rather than
just trusty any TLS connection.
However, we *could* just trust the remote site to identify itself if we
wanted to.

...


> We do have the current issue of knowing which end points will be SSL
> protected and which are TLS with a client-cert, but for now, we know
> that we need a client cert for the connection.  In order to handle this
> behaviour now, I suggest we do the following:
>

As mentioned, we just have regular TLS with server side certs, we just
track the CA Cert so that we know if we can actually trust the cert.

John
=:->


>
>   $ juju connect eric at random-aws.com
> fb5a2570-e6f2-11e3-ac10-0800200c9a66 --client-cert ~/Downloads/cert.txt
>   password:
>   local environment name [foo-production]:
>
> This at least moves us in the right direction.
>
>
> Thoughts?
> Tim
>
>
UUID are still pretty ugly to pass around. Versus having named environments
at API servers. I like having UUIDs be unambiguous under the covers, but I
wonder if it is actually nice UI to have people use it for connections.


>
> [1] An alternative command name could be 'login'.  We should also have
> an equivalent 'logout' or 'disconnect' that removes the .jenv file (with
> sufficient warnings about the environment still running).
>

We've talked about "juju forget-environment" as a way to get rid of a .jenv
without actually tearing down the environment.

John
=:->


>
> --
> Juju-dev mailing list
> Juju-dev at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju-dev/attachments/20140529/64a727ac/attachment.html>

More information about the Juju-dev mailing list