229 lines
7.6 KiB
YAML
229 lines
7.6 KiB
YAML
authorize-charm:
|
|
description: Authorize the vault charm to interact with vault
|
|
properties:
|
|
token:
|
|
type: string
|
|
description: Token to use to authorize charm
|
|
required:
|
|
- token
|
|
refresh-secrets:
|
|
description: Refresh secret_id's and re-issue retrieval tokens for secrets endpoints
|
|
get-csr:
|
|
description: >-
|
|
Get intermediate CA csr (DEPRECATED Please use regenerate-intermediate-ca).
|
|
WARNING Current certificates will be invalidated and will be recreated after the CSR is signed and uploaded.
|
|
properties:
|
|
# Depending on the configuration of CA that will sign the CSRs it
|
|
# may be necessary to ensure these fields match the CA
|
|
country:
|
|
type: string
|
|
description: >-
|
|
The C (Country) values in the subject field of the CSR
|
|
province:
|
|
type: string
|
|
description: >-
|
|
The ST (Province) values in the subject field of the CSR.
|
|
organization:
|
|
type: string
|
|
description: >-
|
|
The O (Organization) values in the subject field of the CSR.
|
|
organizational-unit:
|
|
type: string
|
|
description: >-
|
|
The OU (OrganizationalUnit) values in the subject field of the CSR.
|
|
common-name:
|
|
type: string
|
|
description: >-
|
|
The CN (Common Name) values in the subject field of the CSR.
|
|
locality:
|
|
type: string
|
|
description: >-
|
|
The L (Locality) values in the subject field of the CSR.
|
|
force:
|
|
type: boolean
|
|
default: False
|
|
description: >-
|
|
Requesting a new CSR and remove the existing intermediate CA
|
|
regenerate-intermediate-ca:
|
|
description: >-
|
|
Create a new intermediate CA and return a csr for it
|
|
WARNING Current certificates will be invalidated and will be recreated after the CSR is signed and uploaded.
|
|
properties:
|
|
# Depending on the configuration of CA that will sign the CSRs it
|
|
# may be necessary to ensure these fields match the CA
|
|
country:
|
|
type: string
|
|
description: >-
|
|
The C (Country) values in the subject field of the CSR
|
|
province:
|
|
type: string
|
|
description: >-
|
|
The ST (Province) values in the subject field of the CSR.
|
|
organization:
|
|
type: string
|
|
description: >-
|
|
The O (Organization) values in the subject field of the CSR.
|
|
organizational-unit:
|
|
type: string
|
|
description: >-
|
|
The OU (OrganizationalUnit) values in the subject field of the CSR.
|
|
common-name:
|
|
type: string
|
|
description: >-
|
|
The CN (Common Name) values in the subject field of the CSR.
|
|
locality:
|
|
type: string
|
|
description: >-
|
|
The L (Locality) values in the subject field of the CSR.
|
|
force:
|
|
type: boolean
|
|
default: False
|
|
description: >-
|
|
Requesting a new CSR and remove the existing intermediate CA
|
|
upload-signed-csr:
|
|
description: Upload a signed csr to vault
|
|
properties:
|
|
pem:
|
|
type: string
|
|
description: base64 encoded certificate
|
|
allow-subdomains:
|
|
type: boolean
|
|
default: True
|
|
description: >-
|
|
Specifies if clients can request certificates with
|
|
enforce-hostnames:
|
|
type: boolean
|
|
default: False
|
|
description: >-
|
|
Specifies if only valid host names are allowed
|
|
for CNs, DNS SANs, and the host part of email addresses.
|
|
allow-any-name:
|
|
type: boolean
|
|
default: True
|
|
description: >-
|
|
Specifies if clients can request any CN
|
|
max-ttl:
|
|
type: string
|
|
default: '8760h'
|
|
description: >-
|
|
Specifies the maximum Time To Live
|
|
crl-distribution-point:
|
|
type: string
|
|
default: ''
|
|
description: >-
|
|
Provide an alternative URL for the Certificate Revocation List (CRL) distribution point that is included
|
|
in all certificates issued by Vault. This relies on an external process to synchronise certificates
|
|
revoked in Vault to this external distribution point and should only be used when the Vault infrastructure is not
|
|
generally accessible to client endpoints used to access services secured by the Vault Intermediate CA.
|
|
root-ca:
|
|
type: string
|
|
description: >-
|
|
The certificate of the root CA which will be passed out to client on
|
|
the certificate relation along with the intermediate CA cert
|
|
required:
|
|
- pem
|
|
reissue-certificates:
|
|
description: Reissue certificates to all clients
|
|
generate-root-ca:
|
|
description: Generate a self-signed root CA
|
|
properties:
|
|
ttl:
|
|
type: string
|
|
default: '87599h'
|
|
description: >-
|
|
Specifies the Time To Live for the root CA certificate
|
|
allow-any-name:
|
|
type: boolean
|
|
default: True
|
|
description: >-
|
|
Specifies if clients can request certificates for any CN.
|
|
allowed-domains:
|
|
type: array
|
|
items:
|
|
type: string
|
|
default: []
|
|
description: >-
|
|
Restricted list of CNs for which the root CA may issue certificates.
|
|
If domains are provided, allow-any-name should be set to false.
|
|
allow-bare-domains:
|
|
type: boolean
|
|
default: False
|
|
description: >-
|
|
Specifies whether clients can request certificates exactly matching
|
|
the CNs in allowed-domains.
|
|
allow-subdomains:
|
|
type: boolean
|
|
default: False
|
|
description: >-
|
|
Specifies whether clients can request certificates for subdomains of
|
|
the CNs in allowed-domains, including wildcard subdomains.
|
|
allow-glob-domains:
|
|
type: boolean
|
|
default: True
|
|
description: >-
|
|
Specifies whether CNs in allowed-domains can contain glob patterns
|
|
(e.g., 'ftp*.example.com'), in which case clients will be able to
|
|
request certificates for any CN matching the glob pattern.
|
|
enforce-hostnames:
|
|
type: boolean
|
|
default: False
|
|
description: >-
|
|
Specifies if only valid host names are allowed
|
|
for CNs, DNS SANs, and the host part of email addresses.
|
|
max-ttl:
|
|
type: string
|
|
default: '8760h'
|
|
description: >-
|
|
Specifies the maximum Time To Live for generated certificates.
|
|
get-root-ca:
|
|
description: Get the root CA certificate
|
|
disable-pki:
|
|
description: >-
|
|
Disable the PKI secrets backend. This is needed if you wish to switch the
|
|
CA type after being set up via either upload-signed-csr or
|
|
generate-root-ca.
|
|
pause:
|
|
description: Pause the vault unit. This stops the vault service.
|
|
resume:
|
|
description: >-
|
|
Resume the vault unit. This starts the vault service. Vault will become
|
|
sealed.
|
|
restart:
|
|
description: Restarts the vault unit. Vault will become sealed.
|
|
reload:
|
|
description: >-
|
|
Reloads the vault unit. This allows for limited configuration options to be
|
|
re-read. Vault will not become sealed.
|
|
generate-certificate:
|
|
description: Generate a certificate agains the Vault PKI
|
|
properties:
|
|
ttl:
|
|
type: string
|
|
default: 87599h
|
|
description: >-
|
|
Specifies the Time To Live for the certificate
|
|
common-name:
|
|
type: string
|
|
description: >-
|
|
CN field of the new certificate
|
|
sans:
|
|
type: string
|
|
description: >-
|
|
Space delimited list of Subject Altername Name/IP addresse(s)
|
|
max-ttl:
|
|
type: string
|
|
default: 8760h
|
|
description: >-
|
|
Specifies the maximum Time To Live for generated certificates.
|
|
raft-state:
|
|
description: >-
|
|
Get the raft cluster state.
|
|
raft-bootstrap-node:
|
|
description: >-
|
|
If and only if quorum is permanently lost
|
|
(ie. impossible to recover enough nodes to reach quorum),
|
|
then use this action on a single unit to re-bootstrap the raft cluster
|
|
from this node. Remove all other units before running this.
|
|
This runs the procedure documented at
|
|
https://support.hashicorp.com/hc/en-us/articles/360050756393
|