Vault

Learn about configurations >

• access_country_name | string

  The Vault charm will use this configuration option when requesting a certificate from a TLS provider using the tls-certificates-access charm relation interface. If not set, the Vault charm will request a certificate without this attribute.

• access_email_address | string

  The Vault charm will use this configuration option when requesting a certificate from a TLS provider using the tls-certificates-access charm relation interface. If not set, the Vault charm will request a certificate without this attribute.

• access_locality_name | string

  The Vault charm will use this configuration option when requesting a certificate from a TLS provider using the tls-certificates-access charm relation interface. If not set, the Vault charm will request a certificate without this attribute.

• access_organization | string

  The Vault charm will use this configuration option when requesting a certificate from a TLS provider using the tls-certificates-access charm relation interface. If not set, the Vault charm will request a certificate without this attribute.

• access_organizational_unit | string

  The Vault charm will use this configuration option when requesting a certificate from a TLS provider using the tls-certificates-access charm relation interface. If not set, the Vault charm will request a certificate without this attribute.

• access_sans_dns | string

  The Vault charm will use this configuration option when requesting a certificate from a TLS provider using the tls-certificates-access charm relation interface. If not set, the Vault charm will automatically generate subject alternative names.

• access_state_or_province_name | string

  The Vault charm will use this configuration option when requesting a certificate from a TLS provider using the tls-certificates-access charm relation interface. If not set, the Vault charm will request a certificate without this attribute.

• acme_allow_any_name | boolean

  Allow the ACME server of Vault to issue certificates for any domain name. The Vault charm will use this configuration option in the context of acting as an intermediate CA.

• acme_allow_ip_sans | boolean

  Allow the ACME server of Vault to issue certificates with IP Subject Alternative Names. The Vault charm will use this configuration option in the context of acting as an intermediate CA.

• acme_allow_subdomains | boolean

  Specifies if clients can request certificates with common names that are subdomains of the common name in the allowed_domains list. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and fou.bar.example.com as well as *.example.com.

• acme_allow_wildcard_certificates | boolean

  Default: True

  Specifies if clients can request certificates certificates with RFC 6125 wildcards in the CN field. When set to False, Vault will not issue wildcards, even if they would've been allowed by another option. Vault supports the following four wildcard types: - *.example.com: a single wildcard as the entire left-most label - foo*.example.com: a single suffixed wildcard in the left-most label - *foo.example.com: a single prefixed wildcard in the left-most label - f*o.example.com: a single interior wildcard in the left-most label

• acme_allowed_domains | string

  A comma-separated list of domain names for which the Vault charm can sign certificates. The Vault charm will use this configuration option in the context of acting as an intermediate CA. Certificate requests for clients using the ACME server of Vault will need to use a domain name from this list.

• acme_ca_common_name | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-acme charm relation interface. Requirers using the ACME server of Vault will receive signed certificates from that CA. This option is required when using the tls-certificates-acme charm relation interface.

• acme_ca_country_name | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-acme charm relation interface. Requirers using the ACME server of Vault will receive signed certificates from that CA. If not set, the Vault charm will request a CA certificate without this attribute.

• acme_ca_email_address | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-acme charm relation interface. Requirers using the ACME server of Vault will receive signed certificates from that CA. If not set, the Vault charm will request a CA certificate without this attribute.

• acme_ca_locality_name | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-acme charm relation interface. Requirers using the ACME server of Vault will receive signed certificates from that CA. If not set, the Vault charm will request a CA certificate without this attribute.

• acme_ca_organization | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-acme charm relation interface. Requirers using the ACME server of Vault will receive signed certificates from that CA. If not set, the Vault charm will request a CA certificate without this attribute.

• acme_ca_organizational_unit | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-acme charm relation interface. Requirers using the ACME server of Vault will receive signed certificates from that CA. If not set, the Vault charm will request a CA certificate without this attribute.

• acme_ca_sans_dns | string

  Comma-separated list of DNS names for the CA certificate. The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-acme charm relation interface. Requirers using the ACME server of Vault will receive signed certificates from that CA. If not set, the Vault charm will automatically generate subject alternative names.

• acme_ca_state_or_province_name | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-acme charm relation interface. Requirers using the ACME server of Vault will receive signed certificates from that CA. If not set, the Vault charm will request a CA certificate without this attribute.

• acme_country | string

  This value specifies the C (Country) value in the Subject field of the certificate issued by Vault ACME. If not set the issued certificate will not have a C value in the Subject field.

• acme_locality | string

  This value specifies the L (Locality) value in the Subject field of the certificate issued by Vault PKI. If not set the issued certificate will not have an L value in the Subject field.

• acme_organization | string

  This value specifies the O (Organization) value in the Subject field of the certificate issued by Vault ACME. If not set the issued certificate will not have an O value in the Subject field.

• acme_organizational_unit | string

  This value specifies the OU (Organizational Unit) value in the Subject field of the certificate issued by Vault ACME. If not set the issued certificate will not have an OU value in the Subject field.

• acme_province | string

  This value specifies the ST (State or Province) value in the Subject field of the certificate issued by Vault ACME. If not set the issued certificate will not have a ST value in the Subject field.

• cpu-limit | string

  K8s cpu resource limit, e.g. "1" or "500m". Default is unset (no limit). If you set a limit below the request, the limit will be automatically raised to the request. If you set a limit above the request, that limit is used while the request remains unchanged. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ Using this option requires the juju trust status of the charm to be set to True.

• cpu-request | string

  K8s cpu resource request, e.g. "750m". Default is unset (no request). See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ Using this option requires the juju trust status of the charm to be set to True.

• default_lease_ttl | string

  Default: 168h

  Specifies the default lease duration for Vault's tokens and secrets.

• log_level | string

  Default: info

  The log verbosity level. Supported values (in order of descending detail) are trace, debug, info, warn, and error.

• max_lease_ttl | string

  Default: 720h

  Specifies the maximum possible lease duration for Vault's tokens and secrets.

• memory-limit | string

  K8s memory resource limit, e.g. "1Gi". Default is unset (no limit). If you set a limit below the request, the limit will be automatically raised to the request. If you set a limit above the request, that limit is used while the request remains unchanged. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ Using this option requires the juju trust status of the charm to be set to True.

• memory-request | string

  K8s memory resource request, e.g. "1.5Gi". Default is unset (no request). See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ Using this option requires the juju trust status of the charm to be set to True.

• pki_allow_any_name | boolean

  Allow the Vault charm to sign certificates coming from the vault-pki integration for any domain name. The Vault charm will use this configuration option in the context of acting as an intermediate CA.

• pki_allow_ip_sans | boolean

  Allow the Vault charm to sign requests with IP Subject Alternative Names. The Vault charm will use this configuration option in the context of acting as an intermediate CA.

• pki_allow_subdomains | boolean

  Specifies if clients can request certificates with common names that are subdomains of the common name in the allowed_domains list. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and fou.bar.example.com as well as *.example.com.

• pki_allow_wildcard_certificates | boolean

  Default: True

  Specifies if clients can request certificates certificates with RFC 6125 wildcards in the CN field. When set to False, Vault will not issue wildcards, even if they would've been allowed by another option. Vault supports the following four wildcard types: - *.example.com: a single wildcard as the entire left-most label - foo*.example.com: a single suffixed wildcard in the left-most label - *foo.example.com: a single prefixed wildcard in the left-most label - f*o.example.com: a single interior wildcard in the left-most label

• pki_allowed_domains | string

  A comma-separated list of domain names for which the Vault charm can sign certificates. The Vault charm will use this configuration option in the context of acting as an intermediate CA. Certificate requests for charms integrating with Vault using the vault-pki integration will need to use a domain name from this list.

• pki_ca_common_name | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-pki charm relation interface. Charms integrating to Vault using the vault-pki charm relation interface will receive signed certificates from that CA. This option is required when using the tls-certificates-pki charm relation interface.

• pki_ca_country_name | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-pki charm relation interface. Charms integrating to Vault using the vault-pki charm relation interface will receive signed certificates from that CA. If not set, the Vault charm will request a CA certificate without this attribute.

• pki_ca_email_address | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-pki charm relation interface. Charms integrating to Vault using the vault-pki charm relation interface will receive signed certificates from that CA. If not set, the Vault charm will request a CA certificate without this attribute.

• pki_ca_locality_name | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-pki charm relation interface. Charms integrating to Vault using the vault-pki charm relation interface will receive signed certificates from that CA. If not set, the Vault charm will request a CA certificate without this attribute.

• pki_ca_organization | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-pki charm relation interface. Charms integrating to Vault using the vault-pki charm relation interface will receive signed certificates from that CA. If not set, the Vault charm will request a CA certificate without this attribute.

• pki_ca_organizational_unit | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-pki charm relation interface. Charms integrating to Vault using the vault-pki charm relation interface will receive signed certificates from that CA. If not set, the Vault charm will request a CA certificate without this attribute.

• pki_ca_sans_dns | string

  Comma-separated list of DNS names for the CA certificate. The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-pki charm relation interface. Charms integrating to Vault using the vault-pki charm relation interface will receive signed certificates from that CA. If not set, the Vault charm will automatically generate subject alternative names.

• pki_ca_state_or_province_name | string

  The Vault charm will use this configuration option when requesting a CA certificate from a TLS provider using the tls-certificates-pki charm relation interface. Charms integrating to Vault using the vault-pki charm relation interface will receive signed certificates from that CA. If not set, the Vault charm will request a CA certificate without this attribute.

• pki_country | string

  This value specifies the C (Country) value in the Subject field of the certificate issued by Vault PKI. If not set the issued certificate will not have a C value in the Subject field.

• pki_locality | string

  This value specifies the L (Locality) value in the Subject field of the certificate issued by Vault PKI. If not set the issued certificate will not have an L value in the Subject field.

• pki_organization | string

  This value specifies the O (Organization) value in the Subject field of the certificate issued by Vault PKI. If not set the issued certificate will not have an O value in the Subject field.

• pki_organizational_unit | string

  This value specifies the OU (Organizational Unit) value in the Subject field of the certificate issued by Vault PKI. If not set the issued certificate will not have an OU value in the Subject field.

• pki_province | string

  This value specifies the ST (State or Province) value in the Subject field of the certificate issued by Vault PKI. If not set the issued certificate will not have a ST value in the Subject field.