vault #98

Supports: xenial bionic eoan focal groovy
Add to new model

Description

Vault secures, stores, and tightly controls access to
tokens, passwords, certificates, API keys, and other
secrets in modern computing. Vault handles leasing, key
revocation, key rolling, and auditing. Through a unified
API, users can access an encrypted Key/Value store and
network encryption-as-a-service, or generate AWS IAM/STS
credentials, SQL/NoSQL databases, X.509 certificates,
SSH credentials, and more.


Overview

Vault secures, stores, and controls access to tokens,
passwords, certificates, API keys, and other secrets in modern computing. Vault
handles leasing, key revocation, key rolling, and auditing. Through a unified
API, users can access an encrypted key/value store and network
encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL
databases, X.509 certificates, SSH credentials, and more.

The charm installs Vault from a snap.

Usage

Configuration

This section covers common configuration options. See file config.yaml for
the full list of options, along with their descriptions and default values.

channel

The channel option sets the snap channel to use for deployment (e.g.
'latest/edge'). The default value is 'latest/stable'.

Deployment

Deploy a single vault unit in this way:

juju deploy vault

Then relate it to either MySQL or PostgreSQL.

For MySQL 5:

juju add-relation vault:shared-db percona-cluster:shared-db

For MySQL 8:

juju deploy mysql-router vault-mysql-router
juju add-relation vault-mysql-router:db-router mysql-innodb-cluster:db-router
juju add-relation vault-mysql-router:shared-db vault:shared-db

For PostgreSQL, its version and the underlying machine series must be
compatible (e.g. 9.5/xenial or 10/bionic). Use configuration option version
with the postgresql charm to select a version. For example,
on Xenial:

juju deploy --config version=9.5 --series xenial postgresql
juju add-relation vault:db postgresql:db

Post-deployment tasks

Once the vault application is deployed the following tasks must be performed:

  • Vault initialisation
  • Unsealing of Vault
  • Charm authorisation

These tasks are covered in appendix Vault of the
OpenStack Charms Deployment Guide.

Actions

This section lists Juju actions supported by the charm.
Actions allow specific operations to be performed on a per-unit basis.

  • authorize-charm
  • disable-pki
  • generate-root-ca
  • get-csr
  • get-root-ca
  • pause
  • refresh-secrets
  • reissue-certificates
  • resume
  • upload-signed-csr

To display action descriptions run juju actions vault. If the charm
is not deployed then see file actions.yaml.

Bugs

Please report bugs on Launchpad.

For general charm questions refer to the OpenStack Charm Guide.


Configuration

auto-generate-root-ca-cert
(boolean) Once unsealed, automatically generate a self-signed root CA rather than waiting for an action to be called to either generate one or process a signing request to act as an intermediary CA. Note that this will use all default values for the root CA cert. If you want to adjust those values, you should use the generate-root-ca action instead.
channel
(string) The snap channel to install from.
stable
default-ca-ttl
(string) Default TTL to use when generating CA certs.
87599h
default-ttl
(string) Default TTL to use when generating certs.
8759h
disable-mlock
(boolean) Set this option only if you are deploying to an environment that does not support the mlock(2) system call. When this option is set, vault will be unable to prevent secrets from being paged out, so use it with extreme caution.
dns-ha-access-record
(string) DNS record to use for DNS HA with MAAS. Do not use vip setting if this is set.
hostname
(string) Hostname to be used for the API URL. This hostname should exist as a DNS record and be resolvable by the charms that will consume the relation with vault.
max-ttl
(string) Max allowed TTL to use when generating certs (must be greater than the default).
87600h
nagios_context
(string) A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-myservice-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
juju
nagios_servicegroups
(string) Comma separated list of nagios servicegroups for the service checks.
snap_proxy
(string) DEPRECATED. Use snap-http-proxy and snap-https-proxy model configuration settings. HTTP/HTTPS web proxy for Snappy to use when accessing the snap store.
snap_proxy_url
(string) DEPRECATED. Use snap-store-proxy model configuration setting. The address of a Snap Store Proxy to use for snaps e.g. http://snap-proxy.example.com
snapd_refresh
(string) How often snapd handles updates for installed snaps. The default (an empty string) is 4x per day. Set to "max" to check once per month based on the charm deployment date. You may also set a custom string as described in the 'refresh.timer' section here: https://forum.snapcraft.io/t/system-options/87
ssl-ca
(string) The SSL Root CA certificate, base64-encoded.
ssl-cert
(string) The SSL certificate, base64-encoded.
ssl-chain
(string) The SSL chain certificate, base64-encoded.
ssl-key
(string) The SSL key, base64-encoded.
totally-unsecure-auto-unlock
(boolean) FOR TESTING ONLY. Initialise vault after deployment and store the keys locally. Locally stored material can be displayed with: juju run --unit vault/0 leader-get
vip
(string) Virtual IP to use api traffic. You can provide up to two addresses configured on the access or external bindings. If neither binding is used then you can only provide one address that must be configured on the default space.