Vault

Channel Revision Published Runs on
latest/edge 383 23 Aug 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 367 25 Jul 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 364 23 Jul 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 363 23 Jul 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 336 20 Jun 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 335 20 Jun 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 334 20 Jun 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 333 20 Jun 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 332 20 Jun 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 331 20 Jun 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 330 20 Jun 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 329 20 Jun 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 220 20 Jan 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 216 19 Jan 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 214 19 Jan 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 213 19 Jan 2024
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 109 18 Apr 2023
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
latest/edge 79 02 Aug 2022
Ubuntu 24.04 Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.10 Ubuntu 22.04 Ubuntu 20.04
1.16/stable 387 12 Sep 2024
Ubuntu 22.04
1.16/candidate 387 12 Sep 2024
Ubuntu 22.04
1.16/beta 387 12 Sep 2024
Ubuntu 22.04
1.16/edge 397 Today
Ubuntu 22.04
1.15/stable 357 24 Jul 2024
Ubuntu 22.04
1.15/candidate 357 24 Jul 2024
Ubuntu 22.04
1.15/beta 357 24 Jul 2024
Ubuntu 22.04
1.15/edge 376 31 Jul 2024
Ubuntu 22.04
1.8/stable 372 26 Jul 2024
Ubuntu 22.04
1.8/edge 164 09 Aug 2023
Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
1.8/edge 162 09 Aug 2023
Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
1.8/edge 161 09 Aug 2023
Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
1.8/edge 159 09 Aug 2023
Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
1.8/edge 157 09 Aug 2023
Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
1.8/edge 156 09 Aug 2023
Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
1.8/edge 155 09 Aug 2023
Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
1.8/edge 154 09 Aug 2023
Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
1.8/edge 140 07 Aug 2023
Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
1.8/edge 138 04 Aug 2023
Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
1.8/edge 135 04 Aug 2023
Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
1.8/edge 131 04 Aug 2023
Ubuntu 23.10 Ubuntu 23.04 Ubuntu 22.04
1.7/stable 371 26 Jul 2024
Ubuntu 22.04 Ubuntu 20.04
1.6/stable 369 26 Jul 2024
Ubuntu 20.04 Ubuntu 18.04
1.5/stable 370 26 Jul 2024
Ubuntu 20.04 Ubuntu 18.04
juju deploy vault --channel 1.16/stable
Show information

Platform:

Ubuntu
24.04 23.10 23.04 22.10 22.04 20.04 18.04

Configure for Auto-Unseal

WARNING: There is currently no way to remove the auto-unseal configuration once it has been set on Charmed Vault. Removing the integration may put Charmed Vault in a bad state which requires manual intervention.

Prerequisites

  1. A Charmed Vault instance you wish to use as the unsealer. Deployed, initialized, unsealed, and authorized. See Tutorial: Getting started with Vault-K8s or Getting Started: Vault (Machine) if you’re not there yet.
  2. A second Charmed Vault instance you wish to use as the autounsealed Vault. This instance may already be initialized, unsealed, and authorized, or you may initialize it as part of this process.

1. Integrate the Vault instances

Integrate the autounsealed Vault instance with the unsealer Vault instance.

juju integrate vault-unsealer:vault-autounseal-provides vault-autounsealed:vault-autounseal-requires

2. Configure the Vault CLI to interact with the autounsealed Vault.

export VAULT_ADDR="..."
export VAULT_TOKEN="..."

Now, either follow 2a for an initialized autounsealed Vault instance, or 2b for an uninitialized autounsealed Vault instance.

2a. Migrate the autounsealed Vault instance to auto-unseal

In this step, the Vault instance being migrated needs to be unsealed with the existing manual unseal keys, and migrate its data to auto-unseal. To do this, unseal the Vault instance with the -migrate flag.

vault operator unseal -migrate ${token}

2b. If not already initialized, initialize and authorize the autounsealed Vault instance

Configure your CLI to interact with the autounsealed Vault instance. See the getting started guide for more information on how to do this. In short, you will need to set the VAULT_ADDR environment variable to the address of the autounsealed Vault instance, and retrieve and set the appropriate CA certificate.

vault operator init

Use the root token to create a temporary token, and authorize the Vault charm with it.

$ vault token create -ttl=10m
Key                  Value
---                  -----
token                hvs.mmMXCLNZ2X7OcqCM38WYDnoX
token_accessor       eXzWoD1ajA5YtNgfopj1DP1r
token_duration       10m
token_renewable      true
token_policies       ["root"]
identity_policies    []
policies             ["root"]

Create a secret that contains the token above

$ juju add-secret approle_authorization_token token="hvs.mmMXCLNZ2X7OcqCM38WYDnoX"
secret:cqgj49fmp25c7796r0pg

Grant the secret to the autounsealed vault, and provide the ID of the secret to the authorize-charm action.

juju grant-secret approle_authorization_token vault-autounsealed
juju run vault-autounsealed/leader authorize-charm secret-id=cqgj49fmp25c7796r0pg

Help improve this document in the forum (guidelines). Last updated 3 months ago.