Vault
- Canonical Telco
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/edge | 89 | 31 Jan 2024 | |
| latest/edge | 9 | 27 Jan 2023 | |
| 1.16/stable | 280 | 04 Oct 2024 | |
| 1.16/candidate | 280 | 04 Oct 2024 | |
| 1.16/beta | 280 | 04 Oct 2024 | |
| 1.16/edge | 313 | 20 Dec 2024 | |
| 1.15/stable | 248 | 24 Jul 2024 | |
| 1.15/candidate | 248 | 24 Jul 2024 | |
| 1.15/beta | 248 | 24 Jul 2024 | |
| 1.15/edge | 248 | 10 Jul 2024 |
juju deploy vault-k8s --channel 1.16/stable
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
charms.vault_k8s.v0.vault_managers
-
- Last updated 17 Dec 2024
- Revision Library version 0.3
Library for managing Vault Charm features.
This library encapsulates the business logic for managing the Vault service and its associated integrations within the context of our charms.
A Vault Feature Manager will aim to encapsulate as much of the business logic related to the implementation of a specific feature as reasonably possible.
A feature, in this context, is any set of related concepts which distinctly enhance the offering of the Charm by interacting with the Vault Service to perform related operations. A feature may be optional, or required. Features include TLS support, PKI and KV backends, and Auto-unseal.
Feature managers should:
- Abstract away any implementation specific details such as policy and mount names.
- Provide a simple interface for the charm to ensure the feature is correctly
configured given the state of the charm. Ideally, this is a single method
called
sync(). - Be idempotent.
- Be infrastructure dependent (i.e. no Kubernetes or Machine specific code).
- Catch all expected exceptions, and prevent them from reaching the Charm.
Feature managers should not:
- Be concerned with the charm's lifecycle (i.e. Charm status)
- Depend on each other unless the features explicitly require the dependency.
Index
class LogAdapter
Description
Adapter for the logger to prepend a prefix to all log lines. None
Methods
LogAdapter. process( self , msg: str , kwargs: MutableMapping )
Description
Decides the format for the prepended text. None
class TLSMode
This class defines the different modes of TLS configuration.
Description
SELF_SIGNED: The charm will generate a self signed certificate. TLS_INTEGRATION: The charm will use the TLS integration relation.
class WorkloadBase
Description
Define an interface for the Machine and Container classes. None
Methods
WorkloadBase. exists( self , path: str )
Description
Check if a file exists in the workload. None
WorkloadBase. pull( self , path: str )
Description
Read file from the workload. None
WorkloadBase. push( self , path: str , source: str )
Description
Write file to the workload. None
WorkloadBase. make_dir( self , path: str )
Description
Create directory in the workload. None
WorkloadBase. remove_path( self , path: str , recursive: bool )
Description
Remove file or directory from the workload. None
WorkloadBase. send_signal( self , signal: int , process: str )
Description
Send a signal to a process in the workload. None
WorkloadBase. restart( self , process: str )
Description
Restart the workload service. None
WorkloadBase. stop( self , process: str )
Description
Stop a service in the workload. None
WorkloadBase. is_accessible( self )
Return whether the workload is accessible.
Description
For a container, this would check if we can connect to pebble.
class VaultCertsError
Description
Exception raised when a vault certificate is not found. None
Methods
VaultCertsError. __init__( self , message: str )
class File
Description
This enum determines which files are expected of the library to read. None
class TLSManager
Description
This class configures the certificates within Vault. None
Methods
TLSManager. __init__( self , charm: CharmBase , service_name: str , tls_directory_path: str , workload: WorkloadBase , common_name: str , sans_dns , sans_ip )
Create a new TLSManager object.
Arguments
CharmBase
Name of the container in k8s and name of the process in machine.
Path of the directory where certificates should be stored on the workload.
Either a Container or a Machine.
The common name of the certificate
Subject alternative names of the certificate
Subject alternative IP addresses of the certificate
TLSManager. send_ca_cert( self )
Description
Send the existing CA cert in the workload to all relations. None
TLSManager. get_tls_file_path_in_workload( self , file: File )
Return the requested file's location in the workload.
Arguments
a File object that determines which file path to return
Returns
the path of the file from the workload's perspective
TLSManager. get_tls_file_path_in_charm( self , file: File )
Return the requested file's location in the charm (not in the workload).
Arguments
a File object that determines which file path to return
Returns
path
Description
This path would typically be: /var/lib/juju/storage/certs/0/{file}.pem
TLSManager. tls_file_available_in_charm( self , file: File )
Return whether the given file is available in the charm.
Arguments
a File object that determines which file to check
Returns
True if file exists
TLSManager. ca_certificate_is_saved( self )
Description
Return wether a CA cert and its private key are saved in the charm. None
TLSManager. pull_tls_file_from_workload( self , file: File )
Get a file related to certs from the workload.
Arguments
a File object that determines which file to read.
Returns
The file content without whitespace Or an empty string if the file does not exist.
TLSManager. ca_certificate_secret_exists( self )
Description
Return whether CA certificate is stored in secret. None
TLSManager. push_autounseal_ca_cert( self , ca_cert: str )
Push the CA certificate to the workload.
Arguments
The CA certificate to push to the workload.
TLSManager. tls_file_pushed_to_workload( self , file: File )
Return whether tls file is pushed to the workload.
Arguments
a File object that determines which file to check.
Returns
True if file exists.
def generate_vault_ca_certificate()
Generate Vault CA certificates valid for 50 years.
Returns
CA Private key, CA certificate
def
generate_vault_unit_certificate(
common_name: str,
sans_ip,
sans_dns,
ca_certificate: str,
ca_private_key: str
)
Generate Vault unit certificates valid for 50 years.
Arguments
Common name of the certificate
Subject alternative IP addresses of the certificate
Subject alternative names of the certificate
CA certificate
CA private key
Returns
Private key, Certificate
def existing_certificate_is_self_signed(ca_certificate: Certificate)
Description
Return whether the certificate is a self signed certificate generated by the Vault charm. None
class Naming
Computes names for Vault features.
Description
This class is used to compute names for Vault features based on the charm's conventions, such as the key name, policy name, and approle name. It provides a central place to manage them.
Methods
Naming. key_name( cls , relation_id: int )
Description
Return the key name for the relation. None
Naming. policy_name( cls , relation_id: int )
Description
Return the policy name for the relation. None
Naming. approle_name( cls , relation_id: int )
Description
Return the approle name for the relation. None
class AutounsealProviderManager
Encapsulates the auto-unseal functionality.
Description
This class provides the business logic for auto-unseal functionality in Vault charms. It is opinionated, and aims to make the interface to enabling and managing the feature as simple as possible. Flexibility is sacrificed for simplicity.
Methods
AutounsealProviderManager. __init__( self , charm: CharmBase , client: VaultClient , provides: VaultAutounsealProvides , ca_cert: str , mount_path: str )
AutounsealProviderManager. mount_path( self )
Description
Return the mount path for the transit backend. None
AutounsealProviderManager. clean_up_credentials( self )
Clean up roles and policies that are no longer needed by autounseal.
Description
This method will remove any roles and policies that are no longer used by any of the existing relations. It will also detect any orphaned keys (keys that are not associated with any relation) and log a warning.
AutounsealProviderManager. create_credentials( self , relation: Relation , vault_address: str )
Create auto-unseal credentials for the given relation.
Arguments
The relation to create the credentials for.
The address where this relation can reach the Vault.
Returns
A tuple containing the key name, role ID, and approle secret ID.
class AutounsealConfigurationDetails
Description
Credentials required for configuring auto-unseal on Vault. None
class AutounsealRequirerManager
Encapsulates the auto-unseal functionality from the Requirer Perspective.
Description
In other words, this manages the feature from the perspective of the Vault being auto-unsealed.
Methods
AutounsealRequirerManager. __init__( self , charm: CharmBase , requires: VaultAutounsealRequires )
AutounsealRequirerManager. get_provider_vault_token( self , autounseal_details: AutounsealDetails , ca_cert_path: str )
Retrieve the auto-unseal Vault token, or generate a new one if required.
Arguments
The autounseal configuration details.
The path to the CA certificate to validate the provider Vault.
Returns
A periodic Vault token that can be used for auto-unseal.
Description
Retrieves the last used token from Juju secrets, and validates that it is still valid. If the token is not valid, a new token is generated and stored in the Juju secret. A valid token is returned.