Vault

  • Canonical Telco
Channel Revision Published Runs on
latest/edge 89 31 Jan 2024
Ubuntu 22.04 Ubuntu 20.04
latest/edge 9 27 Jan 2023
Ubuntu 22.04 Ubuntu 20.04
1.16/stable 280 04 Oct 2024
Ubuntu 22.04
1.16/candidate 280 04 Oct 2024
Ubuntu 22.04
1.16/beta 280 04 Oct 2024
Ubuntu 22.04
1.16/edge 286 18 Oct 2024
Ubuntu 22.04
1.15/stable 248 24 Jul 2024
Ubuntu 22.04
1.15/candidate 248 24 Jul 2024
Ubuntu 22.04
1.15/beta 248 24 Jul 2024
Ubuntu 22.04
1.15/edge 248 10 Jul 2024
Ubuntu 22.04
juju deploy vault-k8s --channel 1.16/stable
Show information

Platform:

charms.vault_k8s.v0.vault_client

Library for interacting with a Vault cluster.

This library shares operations that interact with Vault through its API. It is intended to be used by charms that need to manage a Vault cluster.


Index

class LogAdapter

Description

Adapter for the logger to prepend a prefix to all log lines. None

Methods

LogAdapter. process( self , msg , kwargs )

Description

Decides the format for the prepended text. None

class Token

Class that represents token authentication for vault.

Description

This method is the most basic and always available method to access vault.

Methods

Token. login( self , client )

Description

Authenticate a vault client with a token. None

class AppRole

Class that represents approle authentication for vault.

Description

This method is primarily used to authenticate automation programs for vault.

Methods

AppRole. login( self , client )

Description

Authenticate a vault client with approle details. None

class AuthMethod

Description

Classes that implement a login method are auth methods used to log in to Vault. None

Methods

AuthMethod. login( self , client )

Description

Log in using the given method. None

class Certificate

Description

Class that represents a certificate generated by the PKI secrets engine. None

class AuditDeviceType

Description

Class that represents the devices that vault supports as device types for audit. None

class SecretsBackend

Description

Class that represents the supported secrets backends by Vault. None

class VaultClientError

Description

Base class for exceptions raised by the Vault client. None

class Vault

Description

Class to interact with Vault through its API. None

Methods

Vault. __init__( self , url: str , ca_cert_path )

Vault. authenticate( self , auth_details: AuthMethod )

Find and use the token related with the given auth method.

Returns

bool

True if the authentication was successful and the token was accepted by vault.

Vault. token( self )

Description

Return the token used to authenticate with Vault. None

Vault. is_api_available( self )

Description

Return whether Vault is available. None

Vault. is_initialized( self )

Description

Return whether Vault is initialized. None

Vault. is_sealed( self )

Description

Return whether Vault is sealed. None

Vault. needs_migration( self )

Description

Return true if the vault needs to be migrated, false otherwise. None

Vault. get_seal_type( self )

Description

Return the seal type of the Vault. None

Vault. is_seal_type_transit( self )

Description

Return whether Vault is sealed by the transit backend. None

Vault. is_active( self )

Return whether the Vault node is active or not.

Returns

True if initialized, unsealed and active, False otherwise.

Vault. is_active_or_standby( self )

Return the health status of Vault.

Returns

True if initialized, unsealed and active or standby, False otherwise.

Vault. enable_audit_device( self , device_type: AuditDeviceType , path: str )

Enable a new audit device at the supplied path if it isn't already enabled.

Arguments

device_type

One of three available device types

path

The path that will receive audit logs

Vault. enable_approle_auth_method( self )

Description

Enable approle auth method if it isn't already enabled. None

Vault. configure_policy( self , policy_name: str , policy_path: str )

Create/update a policy within vault.

Arguments

policy_name

Name of the policy to create

policy_path

The path of the file where the policy is defined, ending with .hcl

**formatting_args

Additional arguments to format the policy

Vault. configure_approle( self , role_name: str , token_ttl , token_max_ttl , policies , cidrs , token_period )

Create/update a role within vault associating the supplied policies.

Arguments

role_name

Name of the role to be created or updated

policies

The attached list of policy names this approle will have access to

token_ttl

Incremental lifetime for generated tokens, provided as a duration string such as "5m"

token_max_ttl

Maximum lifetime for generated tokens, provided as a duration string such as "5m"

token_period

The period within which the token must be renewed. See Vault documentation for more information.

cidrs

The list of IP networks that are allowed to authenticate

Vault. generate_role_secret_id( self , name: str , cidrs )

Description

Generate a new secret tied to an AppRole. None

Vault. read_role_secret( self , name: str , id: str )

Description

Get definition of a secret tied to an AppRole. None

Vault. enable_secrets_engine( self , backend_type: SecretsBackend , path: str )

Description

Enable given secret engine on the given path. None

Vault. disable_secrets_engine( self , path: str )

Description

Disable the secret engine at the given path. None

Vault. get_intermediate_ca( self , mount: str )

Description

Get the intermediate CA for the PKI backend. None

Vault. import_ca_certificate_and_key( self , mount: str , certificate: str , private_key: str )

Description

Import the CA certificate and private key for the PKI backend. None

Vault. sign_pki_certificate_signing_request( self , mount: str , role: str , csr: str , common_name: str , ttl: str )

Sign a certificate signing request for the PKI backend.

Arguments

mount

The PKI mount point.

role

The role to use for signing the certificate.

csr

The certificate signing request.

common_name

The common name for the certificate.

ttl

The relative validity for the certificate. Should be a string in the format of a number with a unit such as "120m", "10h" or "90d".

Returns

Certificate

The signed certificate object

Vault. create_or_update_pki_charm_role( self , role: str , allowed_domains: str , max_ttl: str , mount: str )

Create a role for the PKI backend or update it if it already exists.

Arguments

role

The name of the role to create or update.

allowed_domains

The list of allowed domains for the role.

max_ttl

The maximum TTL for the role. It is also used by Vault as a maximum validity for the certificates issued by this role. Should be a string in the format of a number with a unit such as "120m", "10h" or "90d".

mount

The mount point of the PKI backend for which the role will be created.

Vault. is_pki_role_created( self , role: str , mount: str )

Description

Check if the role is created for the PKI backend. None

Vault. create_snapshot( self )

Description

Create a snapshot of the Vault data. None

Vault. restore_snapshot( self , snapshot: IOBase )

Restore a snapshot of the Vault data.

Description

Uses force_restore_raft_snapshot to restore the snapshot even if the unseal key used at backup time is different from the current one.

Vault. get_raft_cluster_state( self )

Description

Get raft cluster state. None

Vault. update_autopilot_config( self )

Set Vault to clean up dead servers automatically.

Description

Read more about it here: https://developer.hashicorp.com/vault/api-docs/system/storage/raftautopilot#set-configuration

Vault. is_raft_cluster_healthy( self )

Description

Check if raft cluster is healthy. None

Vault. remove_raft_node( self , node_id: str )

Description

Remove raft peer. None

Vault. is_node_in_raft_peers( self , node_id: str )

Description

Check if node is in raft peers. None

Vault. get_num_raft_peers( self )

Description

Return the number of raft peers. None

Vault. is_common_name_allowed_in_pki_role( self , role: str , mount: str , common_name: str )

Description

Return whether the provided common name is in the list of domains allowed by the specified PKI role. None

Vault. get_role_max_ttl( self , role: str , mount: str )

Description

Get the max ttl for the specified PKI role in seconds. None

Vault. make_latest_pki_issuer_default( self , mount: str )

Description

Update the issuers config to always make the latest issuer created default issuer. None

Vault. destroy_autounseal_credentials( self , relation_id: int , mount: str )

Description

Destroy the approle and transit key for the given relation id. None

Vault. create_autounseal_credentials( self , relation_id: int , mount: str , policy_path: str )

Create auto-unseal credentials for the given relation id.

Arguments

relation_id

The Juju relation id to use for the approle.

mount

The mount point for the transit backend.

policy_path

Path to a file that contains the autounseal policy.

Returns

A tuple containing the Role Id, Secret Id and Key Name.

def generate_pem_bundle(
    certificate: str,
    private_key: str
)

Description

Generate a PEM bundle from a certificate and private key. None