canonical · ale8k · Oct 16, 2024 · Oct 16, 2024 · Oct 16, 2024 · Oct 16, 2024
diff --git a/.custom_wordlist.txt b/.custom_wordlist.txt
@@ -119,4 +119,4 @@ webhook
 Websocket
 Xbox
 XSRF
-YAML
+YAML
diff --git a/how-to/index.rst b/how-to/index.rst
@@ -31,3 +31,12 @@ Observability
    :maxdepth: 1
 
    Integrate with the Canonical Observability Stack <integrate_with_cos>
+
+Security
+--------
+
+.. toctree::
+   :maxdepth: 1
+
+   Harden JIMM deployment <security_hardening>
+   Setup Ingress with TLS <setup_ingress_with_tls>
diff --git a/how-to/security_hardening.rst b/how-to/security_hardening.rst
@@ -0,0 +1,65 @@
+JAAS: Security Hardening
+========================
+JIMM, the service at the centre of JAAS can be hardened in a number of ways. This 
+document details how you can harden the security of your JAAS deployment. 
+
+.. hint::  
+    As a reference on JAAS security overview, check out :doc:`this <../reference/security>` topic. 
+
+CORS
+----
+Cross-Origin Resource Sharing (`CORS <https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS>`__) 
+is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) 
+other than its own from which a browser should permit loading resources. CORS also relies on 
+a mechanism by which browsers make a "pre-flight" request to the server hosting the cross-origin 
+resource, in order to check that the server will permit the actual request. In that pre-flight, 
+the browser sends headers that indicate the HTTP method and headers that will be used in the 
+actual request.
+
+To set CORS on JIMM, use the configuration option ``cors-allowed-origins``.
+
+Ingress TLS
+-----------
+Please refer :doc:`here <../how-to/setup_ingress_with_tls>`.
+
+Identity Provider
+-----------------
+JAAS uses the Canonical Identity Platform for authentication. The communication between JAAS
+and the Identity Platform can be secured via TLS.
+
+You will require the Identity Platform and the ``self-signed-certificates`` charm deployed.
+See `here <https://charmhub.io/topics/canonical-identity-platform/tutorials/e2e-tutorial>`__ for deploying the identity platform. 
+
+Your Identity Platform will require TLS enabled via the `self-signed certificates charm <https://charmhub.io/self-signed-certificates>`__.
+
+Using JIMM's ``receive-ca-cert integration``, you can now relate to the self-signed-certificates charm
+to enabled TLS between the identity platform and JIMM.
+
+OpenFGA
+-------
+JIMM uses OpenFGA for authorisation and currently, the OpenFGA charm does not support TLS. See `here <https://charmhub.io/openfga-k8s>`__.
+
+Vault
+-----
+TLS is enabled by default when communicating with the Vault charm. See `here <https://charmhub.io/vault?channel=1.16/stable>`__.    
+
+JIMM uses Vault for storing cloud credentials, JWKS, and other secrets.
+
+Juju Controllers
+----------------
+TLS is enabled by default when communicating with controllers.
+
+When adding a Juju controller to JIMM, the self-signed certificate of the controller is given to
+JIMM.
+
+.. hint::  
+    Checkout :doc:`this <../how-to/add_controller>` topic for adding controllers to JAAS. 
+
+
+PostgreSQL
+----------
+JIMM uses PostgreSQL as its persistent storage layer. The communication with PostgreSQL can be encrypted
+via TLS. To enable TLS for charmed PostgreSQL you can follow this `guide <https://charmhub.io/postgresql-k8s/docs/t-enable-tls?channel=14/stable>`__.
+
+.. hint::  
+    As of October 2024, you need to manually restart JIMM if you enable TLS on PostgreSQL after having related the JIMM and PostgreSQL charms.  
diff --git a/how-to/setup_ingress_with_tls.rst b/how-to/setup_ingress_with_tls.rst
@@ -0,0 +1,13 @@
+JAAS: Setup Ingress with TLS
+============================
+The NGINX Ingress Integrator is a a charm responsible for creating Kubernetes ingress rules, 
+these rules can be hardened via TLS and the charm provides a means to do so. See `here <https://charmhub.io/nginx-ingress-integrator>`__.
+
+Our LEGO charms provide certificates for charms from a desired ACME server and can be integrated
+with the integrator to enable TLS at the ingress level. See `here <https://charmhub.io/httprequest-lego-k8s>`__.
+
+You will require a domain that your ACME is aware of and an NGINX ingress controller installed
+on your Kubernetes cluster.
+
+With JAAS deployed, you can deploy both LEGO and the integrator, and integrate your LEGO charm deployment
+to your ingress integrator, and then the ingress integrator to JIMM to enable TLS ingress for your deployment.
-Original file line number
+Diff line change
@@ Expand Up / @@ -119,4 +119,4 @@ webhook @@
     Websocket
     Xbox
     XSRF
-    YAML
+    YAML