Vault

  • Canonical Telco
Channel Revision Published Runs on
latest/edge 89 31 Jan 2024
Ubuntu 22.04 Ubuntu 20.04
latest/edge 9 27 Jan 2023
Ubuntu 22.04 Ubuntu 20.04
1.16/stable 280 04 Oct 2024
Ubuntu 22.04
1.16/candidate 280 04 Oct 2024
Ubuntu 22.04
1.16/beta 280 04 Oct 2024
Ubuntu 22.04
1.16/edge 313 20 Dec 2024
Ubuntu 22.04
1.15/stable 248 24 Jul 2024
Ubuntu 22.04
1.15/candidate 248 24 Jul 2024
Ubuntu 22.04
1.15/beta 248 24 Jul 2024
Ubuntu 22.04
1.15/edge 248 10 Jul 2024
Ubuntu 22.04
juju deploy vault-k8s --channel 1.16/stable
Show information

Platform:

charms.vault_k8s.v0.vault_autounseal

Library for the vault-autounseal relation.

This library contains the Requires and Provides classes for handling the vault-autounseal interface.

The provider side of the interface is responsible for enabling the vault transit engine and creating the necessary keys and policies for an external vault to be able to autounseal itself.

The requirer side of the interface is responsible for retrieving the necessary details to autounseal the vault instance, and configuring the vault instance to use them.

Getting Started

From a charm directory, fetch the library using charmcraft:

charmcraft fetch-lib charms.vault_k8s.v0.vault_autounseal
Provider charm

The provider charm is the charm that provides a Vault instance that can be used to autounseal other Vault instances via the Vault transit backend.

Add the following to metadata.yaml:

provides:
  vault-autounseal-provides:
    interface: vault-autounseal
Requirer charm

The requirer charm is the charm that wishes to autounseal a Vault instance via the Vault transit backend.

Add the following to metadata.yaml:

requires:
  vault-autounseal-requires:
    interface: vault-autounseal
    limit: 1
Integration

You can integrate both charms by running:

juju integrate <vault a>:vault-autounseal-provides <vault b>:vault-autounseal-requires

where vault a is the Vault app which will provide the autounseal service, and vault b is the Vault app which will be configured for autounseal via vault a.


class LogAdapter

Description

Adapter for the logger to prepend a prefix to all log lines. None

Methods

LogAdapter. process( self , msg: str , kwargs: MutableMapping )

Description

Prepend the prefix to the log message. None

class VaultAutounsealProviderSchema

Description

Provider side of the vault-autounseal relation interface. None

class ProviderSchema

Description

The schema for the provider side of this interface. None

class VaultAutounsealDetailsReadyEvent

Description

Event emitted on the requirer when Vault autounseal details are ready in the databag. None

Methods

VaultAutounsealDetailsReadyEvent. __init__( self , handle: Handle , address: str , mount_path: str , key_name: str , role_id: str , secret_id: str , ca_certificate: str )

VaultAutounsealDetailsReadyEvent.

Arguments

handle

ops.Handle

address

The address of the Vault server to connect to.

mount_path

The path to the transit engine mount point where the key is stored.

key_name

The name of the transit key to use for autounseal.

role_id

Approle role ID.

secret_id

Approle secret ID.

ca_certificate

The CA certificate to use when validating the Vault server's certificate.

VaultAutounsealDetailsReadyEvent. snapshot( self )

Description

Return snapshot data that should be persisted. None

VaultAutounsealDetailsReadyEvent. restore( self , snapshot )

Description

Restore the event from a snapshot. None

class VaultAutounsealProviderRemoved

Description

Event emitted when the vault that provided autounseal capabilities is removed. None

class VaultAutounsealRequirerRelationCreated

Description

Event emitted when Vault autounseal should be initialized for a new application. None

Methods

VaultAutounsealRequirerRelationCreated. __init__( self , handle: Handle , relation: Relation )

VaultAutounsealRequirerRelationCreated. snapshot( self )

Description

Return snapshot data that should be persisted. None

VaultAutounsealRequirerRelationCreated. restore( self , snapshot )

Description

Restore the event from a snapshot. None

class VaultAutounsealRequirerRelationBroken

Description

Event emitted on the Provider when a relation to a Requirer is broken. None

Methods

VaultAutounsealRequirerRelationBroken. __init__( self , handle: Handle , relation: Relation )

VaultAutounsealRequirerRelationBroken. snapshot( self )

Description

Return snapshot data that should be persisted. None

VaultAutounsealRequirerRelationBroken. restore( self , snapshot )

Description

Restore the event from a snapshot. None

class VaultAutounsealProvidesEvents

Description

Events raised by the vault-autounseal relation on the provider side. None

class VaultAutounsealRequireEvents

Description

Events raised by the vault-autounseal relation on the requirer side. None

class AutounsealDetails

Description

The details required to autounseal a vault instance. None

class VaultAutounsealProvides

Description

Manages the vault-autounseal relation from the provider side. None

Methods

VaultAutounsealProvides. __init__( self , charm: CharmBase , relation_name: str )

VaultAutounsealProvides. set_autounseal_data( self , relation: Relation , vault_address: str , mount_path: str , key_name: str , approle_role_id: str , approle_secret_id: str , ca_certificate: str )

Set the autounseal data in the relation databag.

Description

Args: relation: The Juju relation to set the autounseal data in. vault_address: The address of the Vault server which will be used for autounseal mount_path: The path to the transit engine mount point where the key is stored. key_name: The name of the transit key to use for autounseal. approle_role_id: The AppRole Role ID to use when authenticating with the external Vault server. approle_secret_id: The AppRole Secret ID to use when authenticating with the external Vault server. ca_certificate: The CA certificate to use when validating the external Vault server's certificate.

Raises: TransientJujuError SecretValidationError ValueError

VaultAutounsealProvides. get_relations_without_credentials( self , relation_id )

Description

Get the relations which do not have credentials for auto-unseal. None

class VaultAutounsealRequires

Description

Manages the vault-autounseal relation from the requirer side. None

Methods

VaultAutounsealRequires. __init__( self , charm: CharmBase , relation_name: str )

VaultAutounsealRequires. get_details( self )

Return the vault address, role id, secret id and ca certificate from the relation databag.

Description

Returns: An AutounsealDetails object if the data is valid, None otherwise.

Raises: RuntimeError: If the requirer is related to more than one provider. TransientJujuError