Vault

Canonical Telco

Architecture:

Base version:

Channel	Revision	Published	Runs on
latest/edge	89	31 Jan 2024	Ubuntu 22.04 Ubuntu 20.04
latest/edge	9	27 Jan 2023	Ubuntu 22.04 Ubuntu 20.04
1.16/stable	280	04 Oct 2024	Ubuntu 22.04
1.16/candidate	280	04 Oct 2024	Ubuntu 22.04
1.16/beta	280	04 Oct 2024	Ubuntu 22.04
1.16/edge	291	19 Nov 2024	Ubuntu 22.04
1.15/stable	248	24 Jul 2024	Ubuntu 22.04
1.15/candidate	248	24 Jul 2024	Ubuntu 22.04
1.15/beta	248	24 Jul 2024	Ubuntu 22.04
1.15/edge	248	10 Jul 2024	Ubuntu 22.04

Learn to deploy on juju >

Platform:

charms.vault_k8s.v0.vault_autounseal

Docstrings Source code

Library for the vault-autounseal relation.

This library contains the Requires and Provides classes for handling the vault-autounseal interface.

The provider side of the interface is responsible for enabling the vault transit engine and creating the necessary keys and policies for an external vault to be able to autounseal itself.

The requirer side of the interface is responsible for retrieving the necessary details to autounseal the vault instance, and configuring the vault instance to use them.

Getting Started

From a charm directory, fetch the library using charmcraft:

charmcraft fetch-lib charms.vault_k8s.v0.vault_autounseal

Provider charm

The provider charm is the charm that provides a Vault instance that can be used to autounseal other Vault instances via the Vault transit backend.

Add the following to metadata.yaml:

provides:
  vault-autounseal-provides:
    interface: vault-autounseal

Requirer charm

The requirer charm is the charm that wishes to autounseal a Vault instance via the Vault transit backend.

Add the following to metadata.yaml:

requires:
  vault-autounseal-requires:
    interface: vault-autounseal
    limit: 1

Integration

You can integrate both charms by running:

juju integrate <vault a>:vault-autounseal-provides <vault b>:vault-autounseal-requires

where vault a is the Vault app which will provide the autounseal service, and vault b is the Vault app which will be configured for autounseal via vault a.

Index

class LogAdapter
- def process( self, msg, kwargs)
class VaultAutounsealProviderSchema
class ProviderSchema
class VaultAutounsealDetailsReadyEvent
- def __init__( self, handle, address, mount_path, key_name, role_id, secret_id, ca_certificate)
- def snapshot( self)
- def restore( self, snapshot)
class VaultAutounsealProviderRemoved
class VaultAutounsealRequirerRelationCreated
- def __init__( self, handle, relation)
- def snapshot( self)
- def restore( self, snapshot)
class VaultAutounsealRequirerRelationBroken
- def __init__( self, handle, relation)
- def snapshot( self)
- def restore( self, snapshot)
class VaultAutounsealProvidesEvents
class VaultAutounsealRequireEvents
class AutounsealDetails
class ApproleDetails
class VaultAutounsealProvides
- def __init__( self, charm, relation_name)
- def set_autounseal_data( self, relation, vault_address, mount_path, key_name, approle_role_id, approle_secret_id, ca_certificate)
- def get_outstanding_requests( self, relation_id)
- def get_active_relations( self, relation_id)
class VaultAutounsealRequires
- def __init__( self, charm, relation_name)
- def get_details( self)

Description

Adapter for the logger to prepend a prefix to all log lines. None

Methods

LogAdapter. process( self , msg , kwargs )

Description

Prepend the prefix to the log message. None

Description

Provider side of the vault-autounseal relation interface. None

Description

The schema for the provider side of this interface. None

Description

Event emitted on the requirer when Vault autounseal details are ready in the databag. None

Methods

VaultAutounsealDetailsReadyEvent. __init__( self , handle , address , mount_path , key_name , role_id , secret_id , ca_certificate )

VaultAutounsealDetailsReadyEvent.

Arguments

handle

ops.Handle

address

The address of the Vault server to connect to.

mount_path

The path to the transit engine mount point where the key is stored.

key_name

The name of the transit key to use for autounseal.

role_id

Approle role ID.

secret_id

Approle secret ID.

ca_certificate

The CA certificate to use when validating the Vault server's certificate.

VaultAutounsealDetailsReadyEvent. snapshot( self )

Description

Return snapshot data that should be persisted. None

VaultAutounsealDetailsReadyEvent. restore( self , snapshot )

Description

Restore the event from a snapshot. None

Description

Event emitted when the vault that provided autounseal capabilities is removed. None

Description

Event emitted when Vault autounseal should be initialized for a new application. None

Methods

VaultAutounsealRequirerRelationCreated. __init__( self , handle , relation )

VaultAutounsealRequirerRelationCreated. snapshot( self )

Description

Return snapshot data that should be persisted. None

VaultAutounsealRequirerRelationCreated. restore( self , snapshot )

Description

Restore the event from a snapshot. None

Description

Event emitted on the Provider when a relation to a Requirer is broken. None

Methods

VaultAutounsealRequirerRelationBroken. __init__( self , handle , relation )

VaultAutounsealRequirerRelationBroken. snapshot( self )

Description

Return snapshot data that should be persisted. None

VaultAutounsealRequirerRelationBroken. restore( self , snapshot )

Description

Restore the event from a snapshot. None

Description

Events raised by the vault-autounseal relation on the provider side. None

Description

Events raised by the vault-autounseal relation on the requirer side. None

Description

The details required to autounseal a vault instance. None

Description

The details required to authenticate with Vault using the approle auth method. None

Description

Manages the vault-autounseal relation from the provider side. None

Methods

VaultAutounsealProvides. __init__( self , charm , relation_name: str )

VaultAutounsealProvides. set_autounseal_data( self , relation , vault_address: str , mount_path: str , key_name: str , approle_role_id: str , approle_secret_id: str , ca_certificate: str )

Set the autounseal data in the relation databag.

Arguments

relation

The Juju relation to set the autounseal data in.

vault_address

The address of the Vault server which will be used for autounseal

mount_path

The path to the transit engine mount point where the key is stored.

key_name

The name of the transit key to use for autounseal.

approle_role_id

The AppRole Role ID to use when authenticating with the external Vault server.

approle_secret_id

The AppRole Secret ID to use when authenticating with the external Vault server.

ca_certificate

The CA certificate to use when validating the external Vault server's certificate.

VaultAutounsealProvides. get_outstanding_requests( self , relation_id )

Get the outstanding requests for the relation.

Description

This will retrieve any vault-autounseal relations that have not yet had credentials issued for them.

VaultAutounsealProvides. get_active_relations( self , relation_id )

Get all active relations on the relation name this class was initialized with.

Arguments

relation_id

The relation ID to filter by. If None, all active relations are returned.

Returns

A list of active relations.

Description

Manages the vault-autounseal relation from the requirer side. None

Methods

VaultAutounsealRequires. __init__( self , charm , relation_name: str )

VaultAutounsealRequires. get_details( self )

Return the vault address, role id, secret id and ca certificate from the relation databag.

Returns

An AutounsealDetails object if the data is valid, None otherwise.

Vault

charms.vault_k8s.v0.vault_autounseal

Getting Started

Provider charm

Requirer charm

Integration

class LogAdapter

class VaultAutounsealProviderSchema

class ProviderSchema

class VaultAutounsealDetailsReadyEvent

class VaultAutounsealProviderRemoved

class VaultAutounsealRequirerRelationCreated

class VaultAutounsealRequirerRelationBroken

class VaultAutounsealProvidesEvents

class VaultAutounsealRequireEvents

class AutounsealDetails

class ApproleDetails

class VaultAutounsealProvides

class VaultAutounsealRequires