-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathcharmcraft.yaml
165 lines (150 loc) · 4.82 KB
/
charmcraft.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# Copyright 2024 Canonical Ltd.
# See LICENSE file for licensing details.
name: vault
summary: A tool for managing secrets
description: |
Vault secures, stores, and tightly controls access to
tokens, passwords, certificates, API keys, and other
secrets in modern computing. Vault handles leasing, key
revocation, key rolling, and auditing. Through a unified
API, users can access an encrypted Key/Value store and
network encryption-as-a-service, or generate AWS IAM/STS
credentials, SQL/NoSQL databases, X.509 certificates,
SSH credentials, and more.
links:
website:
- https://charmhub.io/vault
source:
- https://github.com/canonical/vault-operator
issues:
- https://github.com/canonical/vault-operator/issues
documentation: https://discourse.charmhub.io/t/vault-operator-machine/12983
assumes:
- juju >= 3.1.8
storage:
vault:
type: filesystem
location: /var/snap/vault/common
certs:
type: filesystem
minimum-size: 5M
location: /var/snap/vault/common/certs
config:
type: filesystem
location: /var/snap/vault/common/config
minimum-size: 5M
peers:
vault-peers:
interface: vault-peer
provides:
vault-autounseal-provides:
interface: vault-autounseal
vault-kv:
interface: vault-kv
vault-pki:
interface: tls-certificates
cos-agent:
interface: cos_agent
send-ca-cert:
interface: certificate_transfer
description: |
Send our CA certificate so clients can trust the CA by means of forming a relation.
requires:
vault-autounseal-requires:
interface: vault-autounseal
tls-certificates-access:
interface: tls-certificates
limit: 1
description: |
Communication between the vault units and from a client to Vault should
be done using the certificates provided by this integration.
tls-certificates-pki:
interface: tls-certificates
limit: 1
description: |
Interface to be used to provide Vault with its CA certificate. Vault will
use this certificate to sign the certificates it issues on the `vault-pki` interface.
s3-parameters:
interface: s3
type: charm
bases:
- build-on:
- name: ubuntu
channel: "22.04"
run-on:
- name: ubuntu
channel: "22.04"
parts:
charm:
source: .
plugin: charm
charm-requirements:
- requirements.txt
build-packages:
- libffi-dev
- libssl-dev
- pkg-config
build-snaps:
- astral-uv
- rustup
override-build: |
rustup default stable
uv export --frozen --no-dev -o requirements.txt
craftctl default
config:
options:
default_lease_ttl:
type: string
default: "168h"
description: Specifies the default lease duration for Vault's tokens and secrets.
max_lease_ttl:
type: string
default: "720h"
description: Specifies the maximum possible lease duration for Vault's tokens and secrets.
common_name:
type: string
description: |
The common name that will be used by Vault as an intermediate CA. This will only be used when the charm is
configured to use a Vault PKI backend through the `vault-pki` relation.
The charm will only issue certificates for the subdomains under the `common_name` specified.
actions:
authorize-charm:
description: >-
Authorizes the charm to be able to interact with Vault to manage its
operations. A token is required for Vault to use to create the app role and
the policy the charm will use to interact with Vault. This token must be
placed in juju secret, and this secret should be granted to the charm.
params:
secret-id:
type: string
description: >-
A secret id from juju that contains a token for Vault that can create
new policies, such as the root token that is provided upon initializing
Vault. Used to create the app role and policy for the charm. It is not
stored by the charm.
required: [secret-id]
bootstrap-raft:
description: >-
Bootstraps raft using a peers.json file. This action requires the
application to first be scaled to a single unit. Bootstrapping can help
recover when quorum is lost, however, it may cause uncommitted Raft log
entries to be committed. See
https://developer.hashicorp.com/vault/docs/concepts/integrated-storage#manual-recovery-using-peers-json
for more details.
create-backup:
description: >-
Creates a snapshot of the Raft backend and saves it to the S3 storage.
Returns backup ID.
list-backups:
description: >-
Lists all available backups.
restore-backup:
description: >-
Restores a backup from the S3 storage to the Raft backend.
Returns backup ID.
params:
backup-id:
type: string
description: >-
Backup ID to restore.
required: [backup-id]