History

Alex Kavanagh 59a4e926bb Add guard to block handlers in assess-status hook This change blocks most handlers from running during the assess-status hook. It may help to alievate issues around the charm trying to do things with other services (e.g. mysql) during an assess-status hook when it, strictly speaking, should only be assessing its internal status and reporting on that. Change-Id: I5ab1eadbe7e3131526221b06454725293061ba97 Related-Bug: #1883263		2020-09-09 12:31:18 +01:00
..
actions	Ensure we clear the ca.ready flag when we generate a CA	2020-08-11 15:35:51 +00:00
files/nagios	Adjusting NRPE script to work with Vault HA and non-SSL Vault	2019-02-04 22:49:23 +03:00
lib/charm	Better error catching for app role check	2020-08-11 12:23:54 +00:00
reactive	Add guard to block handlers in assess-status hook	2020-09-09 12:31:18 +01:00
templates	Enable MySQL DB TLS Communication	2020-07-02 13:58:56 -07:00
tests	Ensure we clear the ca.ready flag when we generate a CA	2020-08-11 15:35:51 +00:00
README.md	Review README	2020-04-10 17:26:00 -04:00
actions.yaml	Add CN and L options to get-csr action	2020-06-10 16:50:26 -05:00
config.yaml	Add note about displaying material in insecure mode	2020-04-23 15:50:22 -04:00
copyright	Restructure charm to follow src dir format	2018-02-19 10:19:09 +00:00
icon.svg	Add icon	2018-04-18 15:05:28 +01:00
layer.yaml	Merge "Add missing repo to layers.yaml"	2019-11-08 16:48:04 +00:00
metadata.yaml	Change maintainer to OpenStack Charmers	2020-07-20 19:48:34 +01:00
test-requirements.txt	Sync charm/ceph helpers, tox, and requirements	2019-09-30 20:59:41 -05:00
tox.ini	Sync charm/ceph helpers, tox, and requirements	2019-09-30 20:59:41 -05:00
wheelhouse.txt	Allow for temporary loss of the DB	2020-07-02 13:12:06 -07:00

README.md

Overview

Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted key/value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.

The charm installs Vault from a snap.

Usage

Configuration

This section covers common configuration options. See file config.yaml for the full list of options, along with their descriptions and default values.

`channel`

The channel option sets the snap channel to use for deployment (e.g. 'latest/edge'). The default value is 'latest/stable'.

Deployment

Deploy a single vault unit in this way:

juju deploy vault

Then relate it to either MySQL or PostgreSQL.

For MySQL 5:

juju add-relation vault:shared-db percona-cluster:shared-db

For MySQL 8:

juju deploy mysql-router vault-mysql-router
juju add-relation vault-mysql-router:db-router mysql-innodb-cluster:db-router
juju add-relation vault-mysql-router:shared-db vault:shared-db

For PostgreSQL, its version and the underlying machine series must be compatible (e.g. 9.5/xenial or 10/bionic). Use configuration option version with the postgresql charm to select a version. For example, on Xenial:

juju deploy --config version=9.5 --series xenial postgresql
juju add-relation vault:db postgresql:db

Post-deployment tasks

Once the vault application is deployed the following tasks must be performed:

Vault initialisation
Unsealing of Vault
Charm authorisation

These tasks are covered in appendix Vault of the OpenStack Charms Deployment Guide.

Actions

This section lists Juju actions supported by the charm. Actions allow specific operations to be performed on a per-unit basis.

authorize-charm
disable-pki
generate-root-ca
get-csr
get-root-ca
pause
refresh-secrets
reissue-certificates
resume
upload-signed-csr

To display action descriptions run juju actions vault. If the charm is not deployed then see file actions.yaml.

Bugs

Please report bugs on Launchpad.

For general charm questions refer to the OpenStack Charm Guide.