Vault
- Canonical Telco
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/edge | 89 | 31 Jan 2024 | |
| latest/edge | 9 | 27 Jan 2023 | |
| 1.16/stable | 280 | 04 Oct 2024 | |
| 1.16/candidate | 280 | 04 Oct 2024 | |
| 1.16/beta | 280 | 04 Oct 2024 | |
| 1.16/edge | 301 | Yesterday | |
| 1.15/stable | 248 | 24 Jul 2024 | |
| 1.15/candidate | 248 | 24 Jul 2024 | |
| 1.15/beta | 248 | 24 Jul 2024 | |
| 1.15/edge | 248 | 10 Jul 2024 |
juju deploy vault-k8s --channel 1.16/stable
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
charms.vault_k8s.v0.vault_managers
-
- Last updated 29 Nov 2024
- Revision Library version 0.1
Library for managing Vault Charm features.
This library encapsulates the business logic for managing the Vault service and its associated integrations within the context of our charms.
A Vault Feature Manager will aim to encapsulate as much of the business logic related to the implementation of a specific feature as reasonably possible.
A feature, in this context, is any set of related concepts which distinctly enhance the offering of the Charm by interacting with the Vault Service to perform related operations. A feature may be optional, or required. Features include TLS support, PKI and KV backends, and Auto-unseal.
Feature managers should:
- Abstract away any implementation specific details such as policy and mount names.
- Provide a simple interface for the charm to ensure the feature is correctly
configured given the state of the charm. Ideally, this is a single method
called
sync(). - Be idempotent.
- Be infrastructure dependent (i.e. no Kubernetes or Machine specific code).
- Catch all expected exceptions, and prevent them from reaching the Charm.
Feature managers should not:
- Be concerned with the charm's lifecycle (i.e. Charm status)
- Depend on each other unless the features explicitly require the dependency.
Index
class LogAdapter
Description
Adapter for the logger to prepend a prefix to all log lines. None
Methods
LogAdapter. process( self , msg , kwargs )
Description
Decides the format for the prepended text. None
class TLSMode
This class defines the different modes of TLS configuration.
Description
SELF_SIGNED: The charm will generate a self signed certificate. TLS_INTEGRATION: The charm will use the TLS integration relation.
class WorkloadBase
Description
Define an interface for the Machine and Container classes. None
Methods
WorkloadBase. exists( self , path: str )
Description
Check if a file exists in the workload. None
WorkloadBase. pull( self , path: str )
Description
Read file from the workload. None
WorkloadBase. push( self , path: str , source: str )
Description
Write file to the workload. None
WorkloadBase. make_dir( self , path: str )
Description
Create directory in the workload. None
WorkloadBase. remove_path( self , path: str , recursive: bool )
Description
Remove file or directory from the workload. None
WorkloadBase. send_signal( self , signal: int , process: str )
Description
Send a signal to a process in the workload. None
WorkloadBase. restart( self , process: str )
Description
Restart the workload service. None
WorkloadBase. stop( self , process: str )
Description
Stop a service in the workload. None
class VaultCertsError
Description
Exception raised when a vault certificate is not found. None
Methods
VaultCertsError. __init__( self , message: str )
class File
Description
This enum determines which files are expected of the library to read. None
class VaultTLSManager
Description
This class configures the certificates within Vault. None
Methods
VaultTLSManager. __init__( self , charm: CharmBase , service_name: str , tls_directory_path: str , workload: WorkloadBase , common_name: str , sans_dns , sans_ip )
Create a new VaultTLSManager object.
Arguments
CharmBase
Name of the container in k8s and name of the process in machine.
Path of the directory where certificates should be stored on the workload.
Either a Container or a Machine.
The common name of the certificate
Subject alternative names of the certificate
Subject alternative IP addresses of the certificate
VaultTLSManager. send_ca_cert( self )
Description
Send the existing CA cert in the workload to all relations. None
VaultTLSManager. get_tls_file_path_in_workload( self , file: File )
Return the requested file's location in the workload.
Arguments
a File object that determines which file path to return
Returns
the path of the file from the workload's perspective
VaultTLSManager. get_tls_file_path_in_charm( self , file: File )
Return the requested file's location in the charm (not in the workload).
Arguments
a File object that determines which file path to return
Returns
path
Description
This path would typically be: /var/lib/juju/storage/certs/0/{file}.pem
VaultTLSManager. tls_file_available_in_charm( self , file: File )
Return whether the given file is available in the charm.
Arguments
a File object that determines which file to check
Returns
True if file exists
VaultTLSManager. ca_certificate_is_saved( self )
Description
Return wether a CA cert and its private key are saved in the charm. None
VaultTLSManager. pull_tls_file_from_workload( self , file: File )
Get a file related to certs from the workload.
Arguments
a File object that determines which file to read.
Returns
The file content without whitespace Or an empty string if the file does not exist.
VaultTLSManager. ca_certificate_secret_exists( self )
Description
Return whether CA certificate is stored in secret. None
VaultTLSManager. push_autounseal_ca_cert( self , ca_cert: str )
Push the CA certificate to the workload.
Arguments
The CA certificate to push to the workload.
VaultTLSManager. tls_file_pushed_to_workload( self , file: File )
Return whether tls file is pushed to the workload.
Arguments
a File object that determines which file to check.
Returns
True if file exists.
def generate_vault_ca_certificate()
Generate Vault CA certificates valid for 50 years.
Returns
CA Private key, CA certificate
def
generate_vault_unit_certificate(
common_name: str,
sans_ip,
sans_dns,
ca_certificate: str,
ca_private_key: str
)
Generate Vault unit certificates valid for 50 years.
Arguments
Common name of the certificate
Subject alternative IP addresses of the certificate
Subject alternative names of the certificate
CA certificate
CA private key
Returns
Private key, Certificate
def existing_certificate_is_self_signed(ca_certificate: Certificate)
Description
Return whether the certificate is a self signed certificate generated by the Vault charm. None
class VaultNaming
Computes names for Vault features.
Description
This class is used to compute names for Vault features based on the charm's conventions, such as the key name, policy name, and approle name. It provides a central place to manage them.
Methods
VaultNaming. key_name( cls , relation_id: int )
Description
Return the key name for the relation. None
VaultNaming. policy_name( cls , relation_id: int )
Description
Return the policy name for the relation. None
VaultNaming. approle_name( cls , relation_id: int )
Description
Return the approle name for the relation. None
class VaultAutounsealProviderManager
Encapsulates the auto-unseal functionality.
Description
This class provides the business logic for auto-unseal functionality in Vault charms. It is opinionated, and aims to make the interface to enabling and managing the feature as simple as possible. Flexibility is sacrificed for simplicity.
Methods
VaultAutounsealProviderManager. __init__( self , charm: CharmBase , client: VaultClient , provides: VaultAutounsealProvides , ca_cert: str , mount_path: str )
VaultAutounsealProviderManager. mount_path( self )
Description
Return the mount path for the transit backend. None
VaultAutounsealProviderManager. clean_up_credentials( self )
Clean up roles and policies that are no longer needed by autounseal.
Description
This method will remove any roles and policies that are no longer used by any of the existing relations. It will also detect any orphaned keys (keys that are not associated with any relation) and log a warning.
VaultAutounsealProviderManager. create_credentials( self , relation: Relation , vault_address: str )
Create auto-unseal credentials for the given relation.
Arguments
The relation to create the credentials for.
The address where this relation can reach the Vault.
Returns
A tuple containing the key name, role ID, and approle secret ID.
class AutounsealConfigurationDetails
Description
Credentials required for configuring auto-unseal on Vault. None
class VaultAutounsealRequirerManager
Encapsulates the auto-unseal functionality from the Requirer Perspective.
Description
In other words, this manages the feature from the perspective of the Vault being auto-unsealed.
Methods
VaultAutounsealRequirerManager. __init__( self , charm: CharmBase , requires: VaultAutounsealRequires )
VaultAutounsealRequirerManager. get_provider_vault_token( self , autounseal_details: AutounsealDetails , ca_cert_path: str )
Retrieve the auto-unseal Vault token, or generate a new one if required.
Arguments
The autounseal configuration details.
The path to the CA certificate to validate the provider Vault.
Returns
A periodic Vault token that can be used for auto-unseal.
Description
Retrieves the last used token from Juju secrets, and validates that it is still valid. If the token is not valid, a new token is generated and stored in the Juju secret. A valid token is returned.