Vault
- Canonical Telco
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/edge | 89 | 31 Jan 2024 | |
| latest/edge | 9 | 27 Jan 2023 | |
| 1.16/stable | 323 | 20 Jan 2025 | |
| 1.16/candidate | 323 | 20 Jan 2025 | |
| 1.16/beta | 323 | 20 Jan 2025 | |
| 1.16/edge | 326 | 20 Jan 2025 | |
| 1.15/stable | 248 | 24 Jul 2024 | |
| 1.15/candidate | 248 | 24 Jul 2024 | |
| 1.15/beta | 248 | 24 Jul 2024 | |
| 1.15/edge | 248 | 10 Jul 2024 |
juju deploy vault-k8s --channel 1.16/stable
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
charms.vault_k8s.v0.vault_managers
-
- Last updated 17 Jan 2025
- Revision Library version 0.6
Library for managing Vault Charm features.
This library encapsulates the business logic for managing the Vault service and its associated integrations within the context of our charms.
A Vault Feature Manager will aim to encapsulate as much of the business logic related to the implementation of a specific feature as reasonably possible.
A feature, in this context, is any set of related concepts which distinctly enhance the offering of the Charm by interacting with the Vault Service to perform related operations. A feature may be optional, or required. Features include TLS support, PKI and KV backends, and Auto-unseal.
Feature managers should:
- Abstract away any implementation specific details such as policy and mount names.
- Provide a simple interface for the charm to ensure the feature is correctly
configured given the state of the charm. Ideally, this is a single method
called
sync(). - Be idempotent.
- Be infrastructure dependent (i.e. no Kubernetes or Machine specific code).
- Catch all expected exceptions, and prevent them from reaching the Charm.
Feature managers should not:
- Be concerned with the charm's lifecycle (i.e. Charm status)
- Depend on each other unless the features explicitly require the dependency.
Index
class LogAdapter
Description
Adapter for the logger to prepend a prefix to all log lines. None
Methods
LogAdapter. process( self , msg: str , kwargs: MutableMapping )
Description
Decides the format for the prepended text. None
class ManagerError
Description
Exception raised when a manager encounters an error. None
class TLSMode
This class defines the different modes of TLS configuration.
Description
SELF_SIGNED: The charm will generate a self signed certificate. TLS_INTEGRATION: The charm will use the TLS integration relation.
class WorkloadBase
Description
Define an interface for the Machine and Container classes. None
Methods
WorkloadBase. exists( self , path: str )
Description
Check if a file exists in the workload. None
WorkloadBase. pull( self , path: str )
Description
Read file from the workload. None
WorkloadBase. push( self , path: str , source: str )
Description
Write file to the workload. None
WorkloadBase. make_dir( self , path: str )
Description
Create directory in the workload. None
WorkloadBase. remove_path( self , path: str , recursive: bool )
Description
Remove file or directory from the workload. None
WorkloadBase. send_signal( self , signal: int , process: str )
Description
Send a signal to a process in the workload. None
WorkloadBase. restart( self , process: str )
Description
Restart the workload service. None
WorkloadBase. stop( self , process: str )
Description
Stop a service in the workload. None
WorkloadBase. is_accessible( self )
Return whether the workload is accessible.
Description
For a container, this would check if we can connect to pebble.
class VaultCertsError
Description
Exception raised when a vault certificate is not found. None
Methods
VaultCertsError. __init__( self , message: str )
class File
Description
This enum determines which files are expected of the library to read. None
class TLSManager
Description
This class configures the certificates within Vault. None
Methods
TLSManager. __init__( self , charm: CharmBase , service_name: str , tls_directory_path: str , workload: WorkloadBase , common_name: str , sans_dns , sans_ip )
Create a new TLSManager object.
Arguments
CharmBase
Name of the container in k8s and name of the process in machine.
Path of the directory where certificates should be stored on the workload.
Either a Container or a Machine.
The common name of the certificate
Subject alternative names of the certificate
Subject alternative IP addresses of the certificate
TLSManager. send_ca_cert( self )
Description
Send the existing CA cert in the workload to all relations. None
TLSManager. get_tls_file_path_in_workload( self , file: File )
Return the requested file's location in the workload.
Arguments
a File object that determines which file path to return
Returns
the path of the file from the workload's perspective
TLSManager. get_tls_file_path_in_charm( self , file: File )
Return the requested file's location in the charm (not in the workload).
Arguments
a File object that determines which file path to return
Returns
path
Description
This path would typically be: /var/lib/juju/storage/certs/0/{file}.pem
TLSManager. tls_file_available_in_charm( self , file: File )
Return whether the given file is available in the charm.
Arguments
a File object that determines which file to check
Returns
True if file exists
TLSManager. ca_certificate_is_saved( self )
Description
Return wether a CA cert and its private key are saved in the charm. None
TLSManager. pull_tls_file_from_workload( self , file: File )
Get a file related to certs from the workload.
Arguments
a File object that determines which file to read.
Returns
The file content without whitespace Or an empty string if the file does not exist.
TLSManager. ca_certificate_secret_exists( self )
Description
Return whether CA certificate is stored in secret. None
TLSManager. push_autounseal_ca_cert( self , ca_cert: str )
Push the CA certificate to the workload.
Arguments
The CA certificate to push to the workload.
TLSManager. tls_file_pushed_to_workload( self , file: File )
Return whether tls file is pushed to the workload.
Arguments
a File object that determines which file to check.
Returns
True if file exists.
def generate_vault_ca_certificate()
Generate Vault CA certificates valid for 50 years.
Returns
CA Private key, CA certificate
def
generate_vault_unit_certificate(
common_name: str,
sans_ip,
sans_dns,
ca_certificate: str,
ca_private_key: str
)
Generate Vault unit certificates valid for 50 years.
Arguments
Common name of the certificate
Subject alternative IP addresses of the certificate
Subject alternative names of the certificate
CA certificate
CA private key
Returns
Private key, Certificate
def existing_certificate_is_self_signed(ca_certificate: Certificate)
Description
Return whether the certificate is a self signed certificate generated by the Vault charm. None
class Naming
Computes names for Vault features.
Description
This class is used to compute names for Vault features based on the charm's conventions, such as the key name, policy name, and approle name. It provides a central place to manage them.
Methods
Naming. autounseal_key_name( cls , relation_id: int )
Description
Return the key name for the relation. None
Naming. autounseal_policy_name( cls , relation_id: int )
Description
Return the policy name for the relation. None
Naming. autounseal_approle_name( cls , relation_id: int )
Description
Return the approle name for the relation. None
Naming. backup_s3_key_name( cls , model_name: str )
Description
Return the key name for the S3 backend. None
Naming. kv_secret_label( cls , unit_name: str )
Description
Return the secret label for the KV backend. None
Naming. kv_mount_path( cls , app_name: str , mount_suffix: str )
Description
Return the mount path for the KV backend. None
Naming. kv_policy_name( cls , mount_path: str , unit_name: str )
Description
Return the policy name for the KV backend. None
Naming. kv_role_name( cls , mount_path: str , unit_name: str )
Description
Return the role name for the KV backend. None
class AutounsealProviderManager
Encapsulates the auto-unseal functionality.
Description
This class provides the business logic for auto-unseal functionality in Vault charms. It is opinionated, and aims to make the interface to enabling and managing the feature as simple as possible. Flexibility is sacrificed for simplicity.
Methods
AutounsealProviderManager. __init__( self , charm: CharmBase , client: VaultClient , provides: VaultAutounsealProvides , ca_cert: str , mount_path: str )
AutounsealProviderManager. mount_path( self )
Description
Return the mount path for the transit backend. None
AutounsealProviderManager. clean_up_credentials( self )
Clean up roles and policies that are no longer needed by autounseal.
Description
This method will remove any roles and policies that are no longer used by any of the existing relations. It will also detect any orphaned keys (keys that are not associated with any relation) and log a warning.
AutounsealProviderManager. create_credentials( self , relation: Relation , vault_address: str )
Create auto-unseal credentials for the given relation.
Arguments
The relation to create the credentials for.
The address where this relation can reach the Vault.
Returns
A tuple containing the key name, role ID, and approle secret ID.
class AutounsealConfigurationDetails
Description
Credentials required for configuring auto-unseal on Vault. None
class AutounsealRequirerManager
Encapsulates the auto-unseal functionality from the Requirer Perspective.
Description
In other words, this manages the feature from the perspective of the Vault being auto-unsealed.
Methods
AutounsealRequirerManager. __init__( self , charm: CharmBase , requires: VaultAutounsealRequires )
AutounsealRequirerManager. get_provider_vault_token( self , autounseal_details: AutounsealDetails , ca_cert_path: str )
Retrieve the auto-unseal Vault token, or generate a new one if required.
Arguments
The autounseal configuration details.
The path to the CA certificate to validate the provider Vault.
Returns
A periodic Vault token that can be used for auto-unseal.
Description
Retrieves the last used token from Juju secrets, and validates that it is still valid. If the token is not valid, a new token is generated and stored in the Juju secret. A valid token is returned.
class PKIManager
Description
Encapsulates the business logic for managing PKI certificates in Vault from a Charm. None
Methods
PKIManager. __init__( self , charm: CharmBase , vault_client: VaultClient , certificate_request_attributes: CertificateRequestAttributes , mount_point: str , role_name: str , vault_pki: TLSCertificatesProvidesV4 , tls_certificates_pki: TLSCertificatesRequiresV4 )
Create a new PKIManager object.
Arguments
The charm this manager is associated with
The Vault client object
The certificate request attributes that were used when requesting an intermediate certificate from the tls_certificates_pki relation provider.
The mount point in Vault for the PKI backend
The role name for the PKI backend
The vault_pki provider relation helper library
The tls_certificates_pki requirer relation helper library
PKIManager. configure( self )
Enable the PKI backend and update the PKI role in Vault.
Description
This method retrieves the intermediate certificate from the relation and configures the PKI role in Vault if they have changed (or haven't yet been configured). It will also revoke all existing certificates if the provider has issued a new CA certificate, and ensure all future certificates are issued by the new CA certificate.
Additionally, this method ensures that the intermediate CA certificate is renewed if necessary.
PKIManager. make_latest_pki_issuer_default( self )
Make the latest PKI issuer the default issuer.
Description
This ensures that the latest issuer we have created is used for signing certificates.
PKIManager. sync( self )
Sync the state of the PKI backend with the TLS certificates relations.
Description
Issues certificates for all outstanding requests.
PKIManager. calculate_pki_certificates_ttl( certificate: Certificate )
Calculate the maximum allowed validity of certificates issued by PKI.
Description
The current implementation returns half the validity of the CA certificate.
class KVManager
Description
Encapsulates the business logic for managing KV credentials for requirer Charms. None
Methods
KVManager. __init__( self , charm: CharmBase , vault_client: VaultClient , vault_kv: VaultKvProvides , ca_cert: str )
KVManager. generate_credentials_for_requirer( self , relation: Relation , app_name: str , unit_name: str , mount_suffix: str , egress_subnets , nonce: str , vault_url: str )
Generate KV credentials for the requirer, and store the credentials in the relation.
Arguments
The relation of the requirer
The name of the requirer application
The name of the requirer unit for this relation
The suffix to append to the mount path, as provided by the requirer
The egress subnets of the requirer
The nonce provided by the requirer
The URL of the Vault server that the requirer can access over this relation.
Description
This method ensures that the approle and policy are created or updated, and that the approle secret ID is generated and stored in a Juju secret.
The Juju secret ID is then passed to the requirer, along with other necessary information to access the KV backend.
KVManager. remove_unit_credentials( juju_facade: JujuFacade , unit_name: str )
Remove any KV credentials associated with the given unit.
Arguments
The JujuFacade object to use for removing the secret
The name of the unit for which to remove the secret
class BackupManager
Encapsulates the business logic for managing backups in Vault from a Charm.
Description
This class provides the business logic for creating, listing, and restoring backups of the Vault data.
Methods
BackupManager. __init__( self , charm: CharmBase , s3_requirer: S3Requirer , relation_name: str )
BackupManager. create_backup( self , vault_client: VaultClient )
Create a backup of the Vault data.
Returns
The S3 key of the backup.
Description
Stores the backup in the S3 bucket provided by the S3 relation.
BackupManager. list_backups( self )
List all the backups available in the S3 bucket.
Returns
A list of backup keys with the prefix.
Description
Backups are identified by the key prefix from
Naming.backup_s3_key_prefix.
BackupManager. restore_backup( self , vault_client: VaultClient , backup_key: str )
Restore the Vault data from the backup using the vault_client provided.
Arguments
The Vault client to use for restoring the snapshot
The S3 key of the backup to restore
class RaftManager
Description
Encapsulates the business logic for managing the bootstrap of a Vault cluster in Raft mode. None
Methods
RaftManager. __init__( self , charm: CharmBase , workload: WorkloadBase , service_name: str , storage_path: str )
RaftManager. bootstrap( self , node_id: str , address: str )
Bootstrap a Vault cluster in Raft mode.
Description
This method will bootstrap a Vault cluster for a single node, by identifying itself as the sole node in the cluster. Additional units may then be added once the cluster is available.