Vault
- Canonical Telco
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/edge | 89 | 31 Jan 2024 | |
| latest/edge | 9 | 27 Jan 2023 | |
| 1.16/stable | 280 | 04 Oct 2024 | |
| 1.16/candidate | 280 | 04 Oct 2024 | |
| 1.16/beta | 280 | 04 Oct 2024 | |
| 1.16/edge | 286 | 18 Oct 2024 | |
| 1.15/stable | 248 | 24 Jul 2024 | |
| 1.15/candidate | 248 | 24 Jul 2024 | |
| 1.15/beta | 248 | 24 Jul 2024 | |
| 1.15/edge | 248 | 10 Jul 2024 |
juju deploy vault-k8s --channel 1.16/stable
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
charms.vault_k8s.v0.vault_client
-
- Last updated 18 Oct 2024
- Revision Library version 0.20
Library for interacting with a Vault cluster.
This library shares operations that interact with Vault through its API. It is intended to be used by charms that need to manage a Vault cluster.
Index
class LogAdapter
Description
Adapter for the logger to prepend a prefix to all log lines. None
Methods
LogAdapter. process( self , msg , kwargs )
Description
Decides the format for the prepended text. None
class Token
Class that represents token authentication for vault.
Description
This method is the most basic and always available method to access vault.
Methods
Token. login( self , client )
Description
Authenticate a vault client with a token. None
class AppRole
Class that represents approle authentication for vault.
Description
This method is primarily used to authenticate automation programs for vault.
Methods
AppRole. login( self , client )
Description
Authenticate a vault client with approle details. None
class AuthMethod
Description
Classes that implement a login method are auth methods used to log in to Vault. None
Methods
AuthMethod. login( self , client )
Description
Log in using the given method. None
class Certificate
Description
Class that represents a certificate generated by the PKI secrets engine. None
class AuditDeviceType
Description
Class that represents the devices that vault supports as device types for audit. None
class SecretsBackend
Description
Class that represents the supported secrets backends by Vault. None
class VaultClientError
Description
Base class for exceptions raised by the Vault client. None
class Vault
Description
Class to interact with Vault through its API. None
Methods
Vault. __init__( self , url: str , ca_cert_path )
Vault. authenticate( self , auth_details: AuthMethod )
Find and use the token related with the given auth method.
Returns
True if the authentication was successful and the token was accepted by vault.
Vault. token( self )
Description
Return the token used to authenticate with Vault. None
Vault. is_api_available( self )
Description
Return whether Vault is available. None
Vault. is_initialized( self )
Description
Return whether Vault is initialized. None
Vault. is_sealed( self )
Description
Return whether Vault is sealed. None
Vault. needs_migration( self )
Description
Return true if the vault needs to be migrated, false otherwise. None
Vault. get_seal_type( self )
Description
Return the seal type of the Vault. None
Vault. is_seal_type_transit( self )
Description
Return whether Vault is sealed by the transit backend. None
Vault. is_active( self )
Return whether the Vault node is active or not.
Returns
True if initialized, unsealed and active, False otherwise.
Vault. is_active_or_standby( self )
Return the health status of Vault.
Returns
True if initialized, unsealed and active or standby, False otherwise.
Vault. enable_audit_device( self , device_type: AuditDeviceType , path: str )
Enable a new audit device at the supplied path if it isn't already enabled.
Arguments
One of three available device types
The path that will receive audit logs
Vault. enable_approle_auth_method( self )
Description
Enable approle auth method if it isn't already enabled. None
Vault. configure_policy( self , policy_name: str , policy_path: str )
Create/update a policy within vault.
Arguments
Name of the policy to create
The path of the file where the policy is defined, ending with .hcl
Additional arguments to format the policy
Vault. configure_approle( self , role_name: str , token_ttl , token_max_ttl , policies , cidrs , token_period )
Create/update a role within vault associating the supplied policies.
Arguments
Name of the role to be created or updated
The attached list of policy names this approle will have access to
Incremental lifetime for generated tokens, provided as a duration string such as "5m"
Maximum lifetime for generated tokens, provided as a duration string such as "5m"
The period within which the token must be renewed. See Vault documentation for more information.
The list of IP networks that are allowed to authenticate
Vault. generate_role_secret_id( self , name: str , cidrs )
Description
Generate a new secret tied to an AppRole. None
Vault. read_role_secret( self , name: str , id: str )
Description
Get definition of a secret tied to an AppRole. None
Vault. enable_secrets_engine( self , backend_type: SecretsBackend , path: str )
Description
Enable given secret engine on the given path. None
Vault. disable_secrets_engine( self , path: str )
Description
Disable the secret engine at the given path. None
Vault. get_intermediate_ca( self , mount: str )
Description
Get the intermediate CA for the PKI backend. None
Vault. import_ca_certificate_and_key( self , mount: str , certificate: str , private_key: str )
Description
Import the CA certificate and private key for the PKI backend. None
Vault. sign_pki_certificate_signing_request( self , mount: str , role: str , csr: str , common_name: str , ttl: str )
Sign a certificate signing request for the PKI backend.
Arguments
The PKI mount point.
The role to use for signing the certificate.
The certificate signing request.
The common name for the certificate.
The relative validity for the certificate. Should be a string in the format of a number with a unit such as "120m", "10h" or "90d".
Returns
The signed certificate object
Vault. create_or_update_pki_charm_role( self , role: str , allowed_domains: str , max_ttl: str , mount: str )
Create a role for the PKI backend or update it if it already exists.
Arguments
The name of the role to create or update.
The list of allowed domains for the role.
The maximum TTL for the role. It is also used by Vault as a maximum validity for the certificates issued by this role. Should be a string in the format of a number with a unit such as "120m", "10h" or "90d".
The mount point of the PKI backend for which the role will be created.
Vault. is_pki_role_created( self , role: str , mount: str )
Description
Check if the role is created for the PKI backend. None
Vault. create_snapshot( self )
Description
Create a snapshot of the Vault data. None
Vault. restore_snapshot( self , snapshot: IOBase )
Restore a snapshot of the Vault data.
Description
Uses force_restore_raft_snapshot to restore the snapshot even if the unseal key used at backup time is different from the current one.
Vault. get_raft_cluster_state( self )
Description
Get raft cluster state. None
Vault. update_autopilot_config( self )
Set Vault to clean up dead servers automatically.
Description
Read more about it here: https://developer.hashicorp.com/vault/api-docs/system/storage/raftautopilot#set-configuration
Vault. is_raft_cluster_healthy( self )
Description
Check if raft cluster is healthy. None
Vault. remove_raft_node( self , node_id: str )
Description
Remove raft peer. None
Vault. is_node_in_raft_peers( self , node_id: str )
Description
Check if node is in raft peers. None
Vault. get_num_raft_peers( self )
Description
Return the number of raft peers. None
Vault. is_common_name_allowed_in_pki_role( self , role: str , mount: str , common_name: str )
Description
Return whether the provided common name is in the list of domains allowed by the specified PKI role. None
Vault. get_role_max_ttl( self , role: str , mount: str )
Description
Get the max ttl for the specified PKI role in seconds. None
Vault. make_latest_pki_issuer_default( self , mount: str )
Description
Update the issuers config to always make the latest issuer created default issuer. None
Vault. destroy_autounseal_credentials( self , relation_id: int , mount: str )
Description
Destroy the approle and transit key for the given relation id. None
Vault. create_autounseal_credentials( self , relation_id: int , mount: str , policy_path: str )
Create auto-unseal credentials for the given relation id.
Arguments
The Juju relation id to use for the approle.
The mount point for the transit backend.
Path to a file that contains the autounseal policy.
Returns
A tuple containing the Role Id, Secret Id and Key Name.
def
generate_pem_bundle(
certificate: str,
private_key: str
)
Description
Generate a PEM bundle from a certificate and private key. None