This means that users with an account that Candid recognizes
can access the controller as long as they have appropriate
permissions granted. Note that Candid usernames are given
an @external suffix to distinguish them from controller-local usernames.
Note that identity-url can only be set at bootstrap time and cannot be changed later.
The allow-model-access=true setting allows users to access models
that they've been granted access to even when they haven't explicitly
been granted access to the controller itself.
CONTROLLER=jujucharms-eu-west-2
CLOUD=aws/eu-west-2
juju bootstrap \
$CLOUD $CONTROLLER \
--config 'allow-model-access=true' \
--config 'identity-url=https://api.jujucharms.com/identity'
This sets up the controller to use autocert TLS certificates for a domain name that you control. Add the identity-url config option above to enable Candid authentication as well as HTTPS access.
CONTROLLER=jujucharms-eu-west-2
CLOUD=aws/eu-west-2
DNSNAME=my.dnsname.com
juju bootstrap \
$CLOUD $CONTROLLER \
--config "autocert-dns-name=$DNSNAME"
Wait for controller to bootstrap.
juju show-controller
This prints something like:
jaas:
details:
controller-uuid: a030379a-940f-4760-8fcf-3062b41a04e7
api-endpoints: ['52.59.221.52:443', '172.31.16.36:443]
ca-cert: ""
cloud: ""
agent-version: (not implemented)
models: etc
Take the host addresses shown in the api-endpoints field
(without the :443 port suffixes) and in your DNS service provider
change $DNSNAME to refer to them.
Users should then be able to access your controller by doing the following (no other setup required):
juju login $DNSNAME