New configuration parameter updates URI for CRL Distribution points
inside Vault, to a publicly-accessible location. The purpose is not
to impact all users, so I did not add a global configuration
parameter. Instead, only 'upload_signed_csr' action was updated
with an optional parameter introduced named 'crl-distribution-point'.
Closes-bug: #2048237
Change-Id: I8dbfc0deb9f547100bb63bd6b20737734e97667b
leader-get decodes using json, but leader-set just sets the keys. This
wasn't taken into consideration when fetching all the keys to filter for
cached keys when a relation is leaving. This is resolved in this patch.
Change-Id: I2d44ec0c43c1ecffd9ac77a1162ead4e4a01aabe
This cache is used to store certificates and keys
issued by the leader unit. Non-leader units read
these certificates and keep data in their
"tls-certificates" relations up to date.
This ensures that charm units that receive certs
from vault can read from relation data of any
vault unit and receive correct data.
This patch is mostly the same as
I18aa6c9193379ea454851b6f60a8f331ef88a980
but improved to avoid LP#1896542 by removing
the section where a certificate can be reused
from cache during create_certs.
Co-Authored-By: Rodrigo Barbieri <rodrigo.barbieri@canonical.com>
Co-Authored-By: Alex Kavanagh <alex.kavanagh@canonical.com>
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/1084
Closes-Bug: #1940549
Closes-Bug: #1983269
Closes-Bug: #1845961
Related-Bug: #1896542
Change-Id: I0cca13d2042d61ffc6a7c13eccb0ec8c292020c9
- stop vault.service before refresing it
- added a warning note that changing the channel config option will
cause the vault to be sealed
Related-Bug: 2007587
Change-Id: I240ebb4bd14932a6bf95f41da3f2cd7776742266
This reverts commit 04a237660b.
Reason for revert:
The bug in [1] caused all the yoga tests to fail in integration testing. Testing with a version of the charm without this commit allowed tests to complete. Thus reverting this until a more complete solution can be found to the original bug(s) [2..4]
[1] https://bugs.launchpad.net/charm-keystone/+bug/2015103
[2] LP #1940549
[3] LP #1983269
[4] LP #1845961
Change-Id: I8a794fbb30e921e5322e9023b891d5e17e0e6e8b
As bug/1947265 notes running the get-csr actions can result in the
CA being wiped from the leader DB. This change attempts to make
it more clear to the user that this action be destructive.
* Deprecate the `get-csr` action and replace it with
`regenerate-intermediate-ca`. They are functionally equivalent but
the new name makes it clearer that the CA may be destroyed.
* Adds `force` option to the action. The force action must be used
if a CA already exists.
* The functional test of rerunning the `regenerate-intermediate-ca`
action is now included in the vault tests so no need to run the
tests twice now.
Func-Test-PR: https://github.com/openstack-charmers/zaza-openstack-tests/pull/974
Change-Id: Ie01dd7ec0e9134689518b37b5d70c8dd5a556241
Closes-Bug: #1947265
This cache is used to store certificates and keys
issued by the leader unit. Non-leader units read
these certificates and keep data in their
"tls-certificates" relations up to date.
This ensures that charm units that receive certs
from vault can read from relation data of any
vault unit and receive correct data.
This patch is mostly the same as
f55055b878
but improved to avoid LP#1983269 by breaking
down the cert cache into separate key-value pairs
for each remote unit and avoiding a race-condition
caused by get-csr action. Instead of using
leader-settings, this patch is now using
application data bag provided by a new vault-ha
relation implementation.
Co-Authored-By: Rodrigo Barbieri <rodrigo.barbieri@canonical.com>
Change-Id: I18aa6c9193379ea454851b6f60a8f331ef88a980
Closes-Bug: #1940549
Closes-Bug: #1983269
Closes-Bug: #1845961
This reverts commit f55055b878.
Reason for revert:
This patch breaks when issuing many certificates in large models due to CLI leader-set being overwhelmed: https://bugs.launchpad.net/vault-charm/+bug/1983269
Change-Id: I4854839b5278d1b4db325e44b78b1815b2751728
A recent change[1] switched to the newer methods in
hvac 11.2, but unfortunately the semantics between
client.secrets.pki.read_certificate() and client.read() are different,
in that the latter returns None on InvalidPath, whereas the former
allow the exception to bubble up.
This means that for the call sites here, we need to catch InvalidPath,
instead of the TypeError.
The original reason for TypeError was that the function
would end up calling None['key'] if read_certificate failed.
[1]: https://review.opendev.org/c/openstack/charm-vault/+/848205
Change-Id: I46b93457c8a757189802ca2c2cdf31cc9c5a9516
A recent change (1) switched to the newer methods in
hvac 11.2, but unfortunately the semantics between
client.secrets.pki.read_role() and client.read() are different,
in that the latter returns None on InvalidPath, whereas the former
allow the exception to bubble up.
Also updates tests and fixes a mocking issue on service_reload.
[1] https://review.opendev.org/c/openstack/charm-vault/+/848205
Change-Id: Id3d112104b1aa45b242e402709fb855131d5203e
Update deprecated method calls where possible,
and use new methods instead of lower level read/write calls.
Change-Id: I991435cdf8d36016e75c46823ec47f3290a42fe4
This cache is used to store certificates and keys
issued by the leader unit. Non-leader units read
these certificates and keep data in their
"tls-certificates" relations up to date.
This ensures that charm units that receive certs
from vault can read from relation data of any
vault unit and receive correct data.
This patch is the same as
1159e547dd
but improved to avoid LP#1970888
Change-Id: Ic4dd009cc18c52e1667391b00ebba9928acc5937
Closes-Bug: #1940549
Closes-Bug: #1970888
This cache is used to store certificates and keys
issued by the leader unit. Non-leader units read
these certificates and keep data in their
"tls-certificates" relations up to date.
This ensures that charm units that receive certs
from vault can read from relation data of any
vault unit and receive correct data.
Closes-Bug: #1940549
Change-Id: Iac989b30948fa43fe23851995a8ed00b08126587
Created action to utilize the existing
generate_certificate function for on demand
certificates agains the existing vault PKI.
Closes-Bug: #1948837
Change-Id: Ia1a169623c81d6aede7dc52eabd2de94007fde80
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py36 and later, we can use the
standard lib unittest.mock module instead.
Note that https://github.com/openstack/charms.openstack is used during tests
and he need `mock`, unfortunatelly it doesn't declare `mock` in its
requirements so it retrieve mock from other charm project (cross dependency).
So we depend on charms.openstack first and when
Ib1ed5b598a52375e29e247db9ab4786df5b6d142 will be merged then CI
will pass without errors.
Depends-On: Ib1ed5b598a52375e29e247db9ab4786df5b6d142
Change-Id: I1d7de2bd4d704ffc331fdeacea725e903890f296
When the vip is changed the ones that are no longer present need to be
registered for deletion from pacemaker's configuration. This change
relies on hookenv.config.changed() to determine what vip(s) are no
longer present in the configuration ask hacluster to remove them.
Closes-Bug: #1952363
Change-Id: I7b77cd4f57e1770faf92860ee7846bf480efdb9e
If vault/leader has certificate relationship with other apps but
root CA is either not configured or cleared by action 'disable-pki',
the status should be set to 'Blocked, Missing CA'
Also add unit test for checking 'missing-CA' status
Closes-Bug: #1940451
Change-Id: I2f0093c0ae6949693f2ad1ea4729b690c932b4b1
Fix typo in tests (s/exmaple/example/g) and add IPv4 and
IPv6 tests URLs.
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Change-Id: I283f88069371d661535f675cc046b04aec2f3f99
Vault can act as the CA for etcd to allow it to operate in HA mode by
the leader first being unsealed in non-HA mode and providing the root CA
certificate, which allows it to provide a certificate to etcd. However,
at that point, the Vault service needs to be restarted and unsealed
again in order to pick up the HA configuration. Currenty, the status
just reports Vault as ready, potentially with multiple "active" units.
This change detects when the Vault service should be restarted to pick
up the HA configuration and reports it via status.
Change-Id: I40e813b1df4ab3b3301881385a5d713524698821
Follow-on from fix for missing root CA status which didn't properly
account for the non-leader when HA.
Change-Id: I405937ac60541cd008b7bbd01b3c9cdaf2ed88a8
This adds support for the new loadbalancer interface which is intended
to allow for load balancer / ingress endpoint providers, such as the
cloud integrator charms, to provide a load balancer address upon
request. The initial use-case for this is using Vault in Azure, where it
is difficult or impossible to use a VIP or floating IP type approach for
HA Vault; instead, this will allow a relation to the azure-integrator
charm which will provide a native Azure LB which Vault can then
advertise.
Change-Id: I5e0738429d47625c23bfe71c86df6266a3ea364b
This sets the charm status to blocked to make it obvious when the CA
cert is missing and there are pending cert requests being blocked.
This also moves the optional interfaces checks down to ensure that they
don't mask the more important status messages. (E.g., if Vault is
providing certs for Etcd, it's more important to know that Vault is
sealed or missing the CA than to know that Etcd doesn't have its cert
yet.)
This also adds some error checking to gracefully handle the case where
Vault becomes sealed after it was successfully started rather than
having it go into a hook error.
Change-Id: I18a5dbeabc562e14d164f82c041fed207032f52b
Closes-Bug: 1840696
If for any reason the mysql relation is not ready, the
mysql.allowed_units call would return None. Leading to the error:
"argument of type 'NoneType' is not iterable".
Handle when mysql.allowed_units returns None.
Closes-Bug: #1894123
Change-Id: Ia764f6d95adb87726813d40fab0e1642d35bb27f
As part of snap auto-updates, new versions of vault get installed when
available. But manual intervention is required to restart the vault
service. This patch updates the status message to inform the same to
the user.
Closes-Bug: #1895577
Change-Id: I995069bc151c1db5061c52b9d89d014be6b6a556
The client_approle_authorized was checking for app role authorization
too early before the charm had been authorized by the authorize-charm
action.
Before checking on app role authorization verify the leader setting,
"local-charm-access-id", set by the authorize-charm action.
Closes-Bug: #1889654
Change-Id: I53f2c357c06a5ac9846718654d35c9baa576cafd
MySQL topology changes, pause/resumes or even rolling restarts
can put the vault charm into an error state unnecessarily.
* Make the vault charm more robust to temporary MySQL unavailability.
* Make the workload status indicate to the end user when this occurs.
Closes-Bug: #1886083
Change-Id: I57ce8b7d3f778fb87ab01170db1b3770ad84badf
Add the common_name and locality option(s) for when creating
new Certificate Signing Requests.
Closes-Bug: 1882599
Change-Id: I1900b942ed6a409252b35c539c70226c32ed53e3
The charm was sending an individual unit's address even when the VIP
configuration value was set. If VIP is set and we have not yet reached
the ha.available state, wait on publishing the vault url.
Change-Id: I3de05b5e771dc4b7c43996d99ccc4b5d8668737d
Closes-Bug: #1878035
If the service is paused we should pass on executing this function.
Change-Id: Iab86101a6b9bf2647ea852c01bb47bee47661c4f
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com>
Currently the default ttl for a cert is not configurable
and defaults to one month. This patch makes the ttl
configurable and updates the default for new and
re-generated certs to 1 year and 10 years for the CA
cert.
Closes-Bug: #1841138
Change-Id: Iaa6709c74d64c4191b44b92d4cfb3a3dbbb3fdc8
In situation where the vault service is restarted the service should
be unsealed. It apears that some parts of the code do not handle the
exception correctly which results the unit to be in an error state.
In the code to handle that we check whether the service is well
unsealed. If that not the case juju will report the service as blocked
asking user to unseal it.
Change-Id: I1b4d83eb4c944a98a06cc457f51d0fb9d0b9a6ce
Signed-off-by: Sahid Orentino Ferdjaoui <sahid.ferdjaoui@canonical.com>
Some users may not want to expose all vault clients
to the same networks. In particular they might want
to have some on the default access network and some
on an external network. This patch adds support for
new 'external' binding which clients can use to
talk to the vault api.
Change-Id: I0d393c71dcb127b14b8ffcacbd03bbf68f81a53b
Closes-Bug: #1826892
Without this option, the charm announces its API URL with the VIP
address. It is problematic when using FQDN in the SAN section of the
certificates and not IP addresses.
Change-Id: Id40f7f3d70c1e9b055bd0ed65c1c9a90c95f84c1
Closes-Bug: 1826225
Ensure that interface state is assessed early in the assess_status
function so that missing or incomplete interfaces are detected
correctly, rather than the units just reporting a blocked status.
Change-Id: I9989c708a6385c728fa1fa9cff955efd70854774
Closes-Bug: 1811617
The `@when_file_changed` decorator is not considered reliable.
Additionally, the way it was being used led to a race condition where
the Vault service might never get started. This also detects and reports
in a better way if Vault fails to start.
Change-Id: If6153377cd516ed8121e09da627905036128a6ec
Switch max-lease-ttl -> max_lease_ttl inline with Vault API
docs to ensure that certs can be issued for more than 30 days.
Existing deployments with PKI enabled will be re-tuned to
set max_lease_ttl to 10 years, correcting any existing PKI
enablement.
Certificates must be re-issued to use the TTL as provided
during upload of the signed CSR for an Intermediate certificate.
For deploys using the internally signed Root CA, the root
CA must be re-generated using the 'disable-pki' and
'generate-root-ca' actions.
Change-Id: I6a771090e320404c605d2170c7915c3c22a3ea2c
Closes-Bug: 1788945
Add ceph-mon and ceph-osd charms to smoke testing bundle
to ensure coverage of vault-kv relation and associated
secrets storage functionality.
Revert default KV backend to v1; v2 has a slightly different
API so revert default KV backend version to v1.
This resolve and issue with vaultlocker access to stored
keys.
Also pin hvac version to < 0.7.0.
Change-Id: I8ed197aba3f9a42399fd4304b21e2a36e3dd6dca
selcem