Vault

Canonical Telco

Architecture:

Base version:

Channel	Revision	Published	Runs on
latest/edge	89	31 Jan 2024	Ubuntu 22.04 Ubuntu 20.04
latest/edge	9	27 Jan 2023	Ubuntu 22.04 Ubuntu 20.04
1.16/stable	280	04 Oct 2024	Ubuntu 22.04
1.16/candidate	280	04 Oct 2024	Ubuntu 22.04
1.16/beta	280	04 Oct 2024	Ubuntu 22.04
1.16/edge	313	20 Dec 2024	Ubuntu 22.04
1.15/stable	248	24 Jul 2024	Ubuntu 22.04
1.15/candidate	248	24 Jul 2024	Ubuntu 22.04
1.15/beta	248	24 Jul 2024	Ubuntu 22.04
1.15/edge	248	10 Jul 2024	Ubuntu 22.04

Learn to deploy on juju >

Platform:

charms.vault_k8s.v0.vault_client

Docstrings Source code
- Fetch library
  
  charmcraft fetch-lib charms.vault_k8s.v0.vault_client
  Download vault_client.py
- 02 Dec 2024
- Library version 0.23

Library for interacting with a Vault cluster.

This library shares operations that interact with Vault through its API. It is intended to be used by charms that need to manage a Vault cluster.

Index

class LogAdapter
- def process( self, msg, kwargs)
class Token
- def login( self, client)
class AppRole
- def login( self, client)
class AuthMethod
- def login( self, client)
class Certificate
class AuditDeviceType
class SecretsBackend
class VaultClientError
class VaultClient
- def __init__( self, url, ca_cert_path)
- def authenticate( self, auth_details)
- def token( self)
- def is_api_available( self)
- def is_initialized( self)
- def is_sealed( self)
- def read( self, path)
- def write( self, path, data)
- def list( self, path)
- def needs_migration( self)
- def get_seal_type( self)
- def is_seal_type_transit( self)
- def is_active( self)
- def is_active_or_standby( self)
- def enable_audit_device( self, device_type, path)
- def enable_approle_auth_method( self)
- def create_or_update_policy_from_file( self, name, path)
- def create_or_update_policy( self, name, content)
- def create_or_update_approle( self, name, token_ttl, token_max_ttl, policies, cidrs, token_period)
- def generate_role_secret_id( self, name, cidrs)
- def read_role_secret( self, name, id)
- def enable_secrets_engine( self, backend_type, path)
- def disable_secrets_engine( self, path)
- def get_intermediate_ca( self, mount)
- def import_ca_certificate_and_key( self, mount, certificate, private_key)
- def sign_pki_certificate_signing_request( self, mount, role, csr, common_name, ttl)
- def create_or_update_pki_charm_role( self, role, allowed_domains, max_ttl, mount)
- def is_pki_role_created( self, role, mount)
- def create_snapshot( self)
- def restore_snapshot( self, snapshot)
- def get_raft_cluster_state( self)
- def is_raft_cluster_healthy( self)
- def remove_raft_node( self, id)
- def is_node_in_raft_peers( self, id)
- def get_num_raft_peers( self)
- def is_common_name_allowed_in_pki_role( self, role, mount, common_name)
- def get_role_max_ttl( self, role, mount)
- def make_latest_pki_issuer_default( self, mount)
- def create_transit_key( self, mount_point, key_name)
- def delete_role( self, name)
- def delete_policy( self, name)
def generate_pem_bundle( certificate, private_key )

Description

Adapter for the logger to prepend a prefix to all log lines. None

Methods

LogAdapter. process( self , msg , kwargs )

Description

Decides the format for the prepended text. None

Description

This method is the most basic and always available method to access vault.

Methods

Token. login( self , client )

Description

Authenticate a vault client with a token. None

Description

This method is primarily used to authenticate automation programs for vault.

Methods

AppRole. login( self , client )

Description

Authenticate a vault client with approle details. None

Description

Classes that implement a login method are auth methods used to log in to Vault. None

Methods

AuthMethod. login( self , client )

Description

Class that represents a certificate generated by the PKI secrets engine. None

Description

Class that represents the devices that vault supports as device types for audit. None

Description

Class that represents the supported secrets backends by Vault. None

Description

Base class for exceptions raised by the Vault client. None

Description

Class to interact with Vault through its API. None

Methods

VaultClient. __init__( self , url: str , ca_cert_path )

VaultClient. authenticate( self , auth_details: AuthMethod )

Find and use the token related with the given auth method.

Returns

bool

True if the authentication was successful and the token was accepted by vault.

VaultClient. token( self )

Description

Return the token used to authenticate with Vault. None

VaultClient. is_api_available( self )

Description

Return whether Vault is available. None

VaultClient. is_initialized( self )

Description

Return whether Vault is initialized. None

VaultClient. is_sealed( self )

Description

Return whether Vault is sealed. None

VaultClient. read( self , path: str )

Description

Read the data at the given path. None

VaultClient. write( self , path: str , data: dict )

Description

Write the data at the given path. None

VaultClient. list( self , path: str )

Description

List the keys at the given path. None

VaultClient. needs_migration( self )

Description

Return true if the vault needs to be migrated, false otherwise. None

VaultClient. get_seal_type( self )

Description

Return the seal type of the Vault. None

VaultClient. is_seal_type_transit( self )

Description

Return whether Vault is sealed by the transit backend. None

VaultClient. is_active( self )

Return whether the Vault node is active or not.

Returns

True if initialized, unsealed and active, False otherwise.

VaultClient. is_active_or_standby( self )

Return the health status of Vault.

Returns

True if initialized, unsealed and active or standby, False otherwise.

VaultClient. enable_audit_device( self , device_type: AuditDeviceType , path: str )

Enable a new audit device at the supplied path if it isn't already enabled.

Arguments

device_type

One of three available device types

path

The path that will receive audit logs

VaultClient. enable_approle_auth_method( self )

Description

Enable approle auth method if it isn't already enabled. None

VaultClient. create_or_update_policy_from_file( self , name: str , path: str )

Create/update a policy within vault, using the file contents as the policy.

Arguments

name

Name of the policy to create

path

The path of the file where the policy is defined, ending with .hcl

**formatting_args

Additional arguments to format the policy

VaultClient. create_or_update_policy( self , name: str , content: str )

Create/update a policy within vault.

Arguments

name

Name of the policy to create

content

The policy content

VaultClient. create_or_update_approle( self , name: str , token_ttl , token_max_ttl , policies , cidrs , token_period )

Create/update a role within vault associating the supplied policies.

Arguments

name

Name of the role to be created or updated

policies

The attached list of policy names this approle will have access to

token_ttl

Incremental lifetime for generated tokens, provided as a duration string such as "5m"

token_max_ttl

Maximum lifetime for generated tokens, provided as a duration string such as "5m"

token_period

The period within which the token must be renewed. See Vault documentation for more information.

cidrs

The list of IP networks that are allowed to authenticate

VaultClient. generate_role_secret_id( self , name: str , cidrs )

Description

Generate a new secret tied to an AppRole. None

VaultClient. read_role_secret( self , name: str , id: str )

Description

Get definition of a secret tied to an AppRole. None

VaultClient. enable_secrets_engine( self , backend_type: SecretsBackend , path: str )

Description

Enable given secret engine on the given path. None

VaultClient. disable_secrets_engine( self , path: str )

Description

Disable the secret engine at the given path. None

VaultClient. get_intermediate_ca( self , mount: str )

Description

Get the intermediate CA for the PKI backend. None

VaultClient. import_ca_certificate_and_key( self , mount: str , certificate: str , private_key: str )

Description

Import the CA certificate and private key for the PKI backend. None

VaultClient. sign_pki_certificate_signing_request( self , mount: str , role: str , csr: str , common_name: str , ttl: str )

Sign a certificate signing request for the PKI backend.

Arguments

mount

The PKI mount point.

role

The role to use for signing the certificate.

csr

The certificate signing request.

common_name

The common name for the certificate.

ttl

The relative validity for the certificate. Should be a string in the format of a number with a unit such as "120m", "10h" or "90d".

Returns

Certificate

The signed certificate object

VaultClient. create_or_update_pki_charm_role( self , role: str , allowed_domains: str , max_ttl: str , mount: str )

Create a role for the PKI backend or update it if it already exists.

Arguments

role

The name of the role to create or update.

allowed_domains

The list of allowed domains for the role.

max_ttl

The maximum TTL for the role. It is also used by Vault as a maximum validity for the certificates issued by this role. Should be a string in the format of a number with a unit such as "120m", "10h" or "90d".

mount

The mount point of the PKI backend for which the role will be created.

VaultClient. is_pki_role_created( self , role: str , mount: str )

Description

Check if the role is created for the PKI backend. None

VaultClient. create_snapshot( self )

Description

Create a snapshot of the Vault data. None

VaultClient. restore_snapshot( self , snapshot: IOBase )

Restore a snapshot of the Vault data.

Description

Uses force_restore_raft_snapshot to restore the snapshot even if the unseal key used at backup time is different from the current one.

VaultClient. get_raft_cluster_state( self )

Description

Get raft cluster state. None

VaultClient. is_raft_cluster_healthy( self )

Description

Check if raft cluster is healthy. None

VaultClient. remove_raft_node( self , id: str )

Description

Remove raft peer. None

VaultClient. is_node_in_raft_peers( self , id: str )

Description

Check if node is in raft peers. None

VaultClient. get_num_raft_peers( self )

Description

Return the number of raft peers. None

VaultClient. is_common_name_allowed_in_pki_role( self , role: str , mount: str , common_name: str )

Description

Return whether the provided common name is in the list of domains allowed by the specified PKI role. None

VaultClient. get_role_max_ttl( self , role: str , mount: str )

Description

Get the max ttl for the specified PKI role in seconds. None

VaultClient. make_latest_pki_issuer_default( self , mount: str )

Description

Update the issuers config to always make the latest issuer created default issuer. None

VaultClient. create_transit_key( self , mount_point: str , key_name: str )

Description

Create a new key in the transit backend. None

VaultClient. delete_role( self , name: str )

Description

Delete the approle with the given name. None

VaultClient. delete_policy( self , name: str )

Description

Delete the policy with the given name. None

Description

Generate a PEM bundle from a certificate and private key. None

Vault

charms.vault_k8s.v0.vault_client

class LogAdapter

class Token

class AppRole

class AuthMethod

class Certificate

class AuditDeviceType

class SecretsBackend

class VaultClientError

class VaultClient

def generate_pem_bundle( certificate: str, private_key: str )

def generate_pem_bundle(
certificate: str,
private_key: str
)