Vault

By Canonical Telco

Architecture:

Base version:

Channel	Revision	Published	Runs on
latest/edge	89	31 Jan 2024	Ubuntu 22.04 Ubuntu 20.04
latest/edge	9	27 Jan 2023	Ubuntu 22.04 Ubuntu 20.04
1.16/stable	259	23 Jul 2024	Ubuntu 22.04
1.16/candidate	259	23 Jul 2024	Ubuntu 22.04
1.16/beta	259	23 Jul 2024	Ubuntu 22.04
1.16/edge	274	Today	Ubuntu 22.04
1.15/stable	248	24 Jul 2024	Ubuntu 22.04
1.15/candidate	248	24 Jul 2024	Ubuntu 22.04
1.15/beta	248	24 Jul 2024	Ubuntu 22.04
1.15/edge	248	10 Jul 2024	Ubuntu 22.04

Learn to deploy on juju >

Platform:

charms.vault_k8s.v0.vault_kv

Docstrings Source code
- Fetch library
  
  charmcraft fetch-lib charms.vault_k8s.v0.vault_kv
  Download vault_kv.py
- 13 Aug 2024
- Library version 0.11

Library for the vault-kv relation.

This library contains the Requires and Provides classes for handling the vault-kv interface.

Getting Started

From a charm directory, fetch the library using charmcraft:

charmcraft fetch-lib charms.vault_k8s.v0.vault_kv

Requirer charm

The requirer charm is the charm requiring a secret value store. In this example, the requirer charm is requiring a secret value store.

import secrets

from charms.vault_k8s.v0 import vault_kv
from ops.charm import CharmBase, InstallEvent
from ops.main import main
from ops.model import ActiveStatus, BlockedStatus

NONCE_SECRET_LABEL = "nonce"


class ExampleRequirerCharm(CharmBase):
    def __init__(self, *args):
        super().__init__(*args)
        self.interface = vault_kv.VaultKvRequires(
            self,
            "vault-kv",
            "my-suffix",
        )

        self.framework.observe(self.on.install, self._on_install)
        self.framework.observe(self.interface.on.connected, self._on_connected)
        self.framework.observe(self.interface.on.ready, self._on_ready)
        self.framework.observe(self.interface.on.gone_away, self._on_gone_away)
        self.framework.observe(self.on.update_status, self._on_update_status)

    def _on_install(self, event: InstallEvent):
        self.unit.add_secret(
            {"nonce": secrets.token_hex(16)},
            label=NONCE_SECRET_LABEL,
            description="Nonce for vault-kv relation",
        )
        self.unit.status = BlockedStatus("Waiting for vault-kv relation")

    def _on_connected(self, event: vault_kv.VaultKvConnectedEvent):
        relation = self.model.get_relation(event.relation_name, event.relation_id)
        egress_subnets = [str(subnet) for subnet in self.model.get_binding(relation).network.egress_subnets][0].subnet]
        egress_subnets.append(str(self.model.get_binding(relation).network.interfaces[0].subnet))
        self.interface.request_credentials(relation, egress_subnets, self.get_nonce())

    def _on_ready(self, event: vault_kv.VaultKvReadyEvent):
        relation = self.model.get_relation(event.relation_name, event.relation_id)
        if relation is None:
            return
        vault_url = self.interface.get_vault_url(relation)
        ca_certificate = self.interface.get_ca_certificate(relation)
        mount = self.interface.get_mount(relation)

        unit_credentials = self.interface.get_unit_credentials(relation)
        # unit_credentials is a juju secret id
        secret = self.model.get_secret(id=unit_credentials)
        secret_content = secret.get_content(refresh=True)
        role_id = secret_content["role-id"]
        role_secret_id = secret_content["role-secret-id"]

        self._configure(vault_url, ca_certificate, mount, role_id, role_secret_id)

        self.unit.status = ActiveStatus()

    def _on_gone_away(self, event: vault_kv.VaultKvGoneAwayEvent):
        self.unit.status = BlockedStatus("Waiting for vault-kv relation")

    def _configure(
        self,
        vault_url: str,
        ca_certificate: str,
        mount: str,
        role_id: str,
        role_secret_id: str,
    ):
        pass

    def _on_update_status(self, event):
        # Check somewhere that egress subnet has not changed i.e. pod has not been rescheduled
        # Update status might not be the best place
        binding = self.model.get_binding("vault-kv")
        if binding is not None:
            egress_subnets = [str(subnet) for subnet in self.model.get_binding(relation).network.egress_subnets][0].subnet]
            egress_subnets.append(str(self.model.get_binding(relation).network.interfaces[0].subnet))
            relation = self.model.get_relation(relation_name="vault-kv")
            self.interface.request_credentials(relation, egress_subnets, self.get_nonce())

    def get_nonce(self):
        secret = self.model.get_secret(label=NONCE_SECRET_LABEL)
        nonce = secret.get_content(refresh=True)["nonce"]
        return nonce


if __name__ == "__main__":
    main(ExampleRequirerCharm)

You can integrate both charms by running:

juju integrate <vault provider charm> <vault requirer charm>

Index

class LogAdapter
- def process( self, msg, kwargs)
class VaultKvProviderSchema
class AppVaultKvRequirerSchema
class UnitVaultKvRequirerSchema
class ProviderSchema
class RequirerSchema
class KVRequest
def get_egress_subnets_list_from_relation_data( relation_databag )
def is_requirer_data_valid( app_data, unit_data )
def is_provider_data_valid( data )
class VaultKvGoneAwayEvent
class VaultKvClientDetachedEvent
- def __init__( self, handle, unit_name)
- def snapshot( self)
- def restore( self, snapshot)
class NewVaultKvClientAttachedEvent
- def __init__( self, handle, relation_id, app_name, unit_name, mount_suffix, egress_subnets, nonce)
- def snapshot( self)
- def restore( self, snapshot)
class VaultKvProviderEvents
class VaultKvProvides
- def __init__( self, charm, relation_name)
- def set_vault_url( self, relation, vault_url)
- def set_ca_certificate( self, relation, ca_certificate)
- def set_mount( self, relation, mount)
- def set_egress_subnets( self, relation, egress_subnets)
- def set_unit_credentials( self, relation, nonce, secret)
- def remove_unit_credentials( self, relation, nonce)
- def get_credentials( self, relation)
- def get_outstanding_kv_requests( self, relation_id)
- def get_kv_requests( self, relation_id)
class VaultKvConnectedEvent
- def __init__( self, handle, relation_id, relation_name)
- def snapshot( self)
- def restore( self, snapshot)
class VaultKvReadyEvent
- def __init__( self, handle, relation_id, relation_name)
- def snapshot( self)
- def restore( self, snapshot)
class VaultKvRequireEvents
class VaultKvRequires
- def __init__( self, charm, relation_name, mount_suffix)
- def request_credentials( self, relation, egress_subnet, nonce)
- def get_vault_url( self, relation)
- def get_ca_certificate( self, relation)
- def get_mount( self, relation)
- def get_unit_credentials( self, relation)

Description

Adapter for the logger to prepend a prefix to all log lines. None

Methods

LogAdapter. process( self , msg , kwargs )

Description

Decides the format for the prepended text. None

Description

Provider side of the vault-kv interface. None

Description

App schema of the requirer side of the vault-kv interface. None

Description

Unit schema of the requirer side of the vault-kv interface. None

Description

The schema for the provider side of this interface. None

Description

The schema for the requirer side of this interface. None

Description

This class represents a kv request from an interface Requirer. None

Arguments

relation_databag

the relation databag of the unit or the app.

Description

This function converts the string with values separated by commas to a list.

Description

Return whether the requirer data is valid. None

Description

Return whether the provider data is valid. None

Description

VaultKvGoneAwayEvent Event. None

Description

VaultKvClientDetachedEvent Event. None

Methods

VaultKvClientDetachedEvent. __init__( self , handle , unit_name: str )

VaultKvClientDetachedEvent. snapshot( self )

Description

Return snapshot data that should be persisted. None

VaultKvClientDetachedEvent. restore( self , snapshot )

Description

Restore the event from a snapshot. None

Description

New vault kv client attached event. None

Methods

NewVaultKvClientAttachedEvent. __init__( self , handle , relation_id: int , app_name: str , unit_name: str , mount_suffix: str , egress_subnets , nonce: str )

NewVaultKvClientAttachedEvent. snapshot( self )

Description

Return snapshot data that should be persisted. None

NewVaultKvClientAttachedEvent. restore( self , snapshot )

Description

Restore the value state from a given snapshot. None

Description

List of events that the Vault Kv provider charm can leverage. None

Description

Class to be instanciated by the providing side of the relation. None

Methods

VaultKvProvides. __init__( self , charm , relation_name: str )

VaultKvProvides. set_vault_url( self , relation , vault_url: str )

Description

Set the vault_url on the relation. None

VaultKvProvides. set_ca_certificate( self , relation , ca_certificate: str )

Description

Set the ca_certificate on the relation. None

VaultKvProvides. set_mount( self , relation , mount: str )

Description

Set the mount on the relation. None

VaultKvProvides. set_egress_subnets( self , relation , egress_subnets )

Description

Set the egress_subnets on the relation. None

VaultKvProvides. set_unit_credentials( self , relation , nonce: str , secret )

Description

Set the unit credentials on the relation. None

VaultKvProvides. remove_unit_credentials( self , relation , nonce )

Description

Remove nonce(s) from the relation. None

VaultKvProvides. get_credentials( self , relation )

Description

Get the unit credentials from the relation. None

VaultKvProvides. get_outstanding_kv_requests( self , relation_id )

Description

Get the outstanding requests for the relation. None

VaultKvProvides. get_kv_requests( self , relation_id )

Description

Get all KV requests for the relation. None

Description

VaultKvConnectedEvent Event. None

Methods

VaultKvConnectedEvent. __init__( self , handle , relation_id: int , relation_name: str )

VaultKvConnectedEvent. snapshot( self )

Description

Return snapshot data that should be persisted. None

VaultKvConnectedEvent. restore( self , snapshot )

Description

Restore the value state from a given snapshot. None

Description

VaultKvReadyEvent Event. None

Methods

VaultKvReadyEvent. __init__( self , handle , relation_id: int , relation_name: str )

VaultKvReadyEvent. snapshot( self )

Description

Return snapshot data that should be persisted. None

VaultKvReadyEvent. restore( self , snapshot )

Description

Restore the value state from a given snapshot. None

Description

List of events that the Vault Kv requirer charm can leverage. None

Description

Class to be instanciated by the requiring side of the relation. None

Methods

VaultKvRequires. __init__( self , charm , relation_name: str , mount_suffix: str )

VaultKvRequires. request_credentials( self , relation , egress_subnet , nonce: str )

Request credentials from the vault-kv relation.

Description

Generated secret ids are tied to the unit egress_subnet, so if the egress_subnet changes a new secret id must be generated.

A change in egress_subnets can happen when the pod is rescheduled to a different node by the underlying substrate without a change from Juju.

VaultKvRequires. get_vault_url( self , relation )

Description

Return the vault_url from the relation. None

VaultKvRequires. get_ca_certificate( self , relation )

Description

Return the ca_certificate from the relation. None

VaultKvRequires. get_mount( self , relation )

Description

Return the mount from the relation. None

VaultKvRequires. get_unit_credentials( self , relation )

Return the unit credentials from the relation.

Description

Unit credentials are stored in the relation data as a Juju secret id.

Vault

charms.vault_k8s.v0.vault_kv

Getting Started

Requirer charm

class LogAdapter

class VaultKvProviderSchema

class AppVaultKvRequirerSchema

class UnitVaultKvRequirerSchema

class ProviderSchema

class RequirerSchema

class KVRequest

def get_egress_subnets_list_from_relation_data(relation_databag)

def is_requirer_data_valid(
app_data,
unit_data
)

def is_provider_data_valid(data)

class VaultKvGoneAwayEvent

class VaultKvClientDetachedEvent

class NewVaultKvClientAttachedEvent

class VaultKvProviderEvents

class VaultKvProvides

class VaultKvConnectedEvent

class VaultKvReadyEvent

class VaultKvRequireEvents

class VaultKvRequires

Vault

charms.vault_k8s.v0.vault_kv

Getting Started

Requirer charm

class LogAdapter

class VaultKvProviderSchema

class AppVaultKvRequirerSchema

class UnitVaultKvRequirerSchema

class ProviderSchema

class RequirerSchema

class KVRequest

def get_egress_subnets_list_from_relation_data(relation_databag)

def is_requirer_data_valid( app_data, unit_data )

def is_provider_data_valid(data)

class VaultKvGoneAwayEvent

class VaultKvClientDetachedEvent

class NewVaultKvClientAttachedEvent

class VaultKvProviderEvents

class VaultKvProvides

class VaultKvConnectedEvent

class VaultKvReadyEvent

class VaultKvRequireEvents

class VaultKvRequires

def is_requirer_data_valid(
app_data,
unit_data
)