-
Notifications
You must be signed in to change notification settings - Fork 6
/
charmcraft.yaml
177 lines (161 loc) · 4.86 KB
/
charmcraft.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# Copyright 2023 Canonical Ltd.
# See LICENSE file for licensing details.
name: vault-k8s
summary: A tool for managing secrets
description: |
Vault secures, stores, and tightly controls access to
tokens, passwords, certificates, API keys, and other
secrets in modern computing. Vault handles leasing, key
revocation, key rolling, and auditing. Through a unified
API, users can access an encrypted Key/Value store and
network encryption-as-a-service, or generate AWS IAM/STS
credentials, SQL/NoSQL databases, X.509 certificates,
SSH credentials, and more.
links:
website:
- https://charmhub.io/vault-k8s
source:
- https://github.com/canonical/vault-k8s-operator
issues:
- https://github.com/canonical/vault-k8s-operator/issues
documentation: https://discourse.charmhub.io/t/vault-operator-kubernetes/12123
contact: https://matrix.to/#/!yAkGlrYcBFYzYRvOlQ:ubuntu.com?via=ubuntu.com&via=matrix.org&via=mozilla.org
containers:
vault:
resource: vault-image
mounts:
- storage: vault-raft
location: /vault/raft
- storage: config
location: /vault/config
- storage: certs
location: /vault/certs
- storage: tmp
location: /tmp
resources:
vault-image:
type: oci-image
description: OCI image for Vault
upstream-source: ghcr.io/canonical/vault:1.16.3
storage:
vault-raft:
type: filesystem
minimum-size: 10G
config:
type: filesystem
minimum-size: 5M
certs:
type: filesystem
minimum-size: 5M
tmp:
type: filesystem
minimum-size: 5G
peers:
vault-peers:
interface: vault-peer
provides:
vault-autounseal-provides:
interface: vault-autounseal
vault-kv:
interface: vault-kv
vault-pki:
interface: tls-certificates
metrics-endpoint:
interface: prometheus_scrape
send-ca-cert:
interface: certificate_transfer
description: |
Send our CA certificate so clients can trust the CA by means of forming a relation.
grafana-dashboard:
interface: grafana_dashboard
assumes:
- juju >= 3.1.8
- k8s-api
requires:
vault-autounseal-requires:
interface: vault-autounseal
limit: 1
ingress:
interface: ingress
limit: 1
tls-certificates-access:
interface: tls-certificates
limit: 1
description: |
Communication between the vault units and from a client to Vault should
be done using the certificates provided by this integration.
tls-certificates-pki:
interface: tls-certificates
limit: 1
description: |
Interface to be used to provide Vault with its CA certificate. Vault will
use this certificate to sign the certificates it issues on the `vault-pki` interface.
logging:
interface: loki_push_api
s3-parameters:
interface: s3
type: "charm"
bases:
- build-on:
- name: "ubuntu"
channel: "22.04"
run-on:
- name: "ubuntu"
channel: "22.04"
parts:
charm:
build-packages:
- cargo
- libffi-dev
- libssl-dev
- pkg-config
- rustc
actions:
authorize-charm:
description: >-
Authorizes the charm to be able to interact with Vault to manage its
operations. A token is required for Vault to use to create the app role and
the policy the charm will use to interact with Vault. This token must be
placed in a juju secret, and access to this secret should be granted to the charm.
params:
secret-id:
type: string
description: >-
The Juju secret ID for the secret containing a token for Vault that can create
new policies, such as the root token that is provided upon initializing
Vault. Used to create the app role and policy for the charm. It is not
stored by the charm.
required: [secret-id]
create-backup:
description: >-
Creates a snapshot of the Raft backend and saves it to the S3 storage.
Returns the backup ID.
list-backups:
description: >-
Lists all available backups.
restore-backup:
description: >-
Restores a backup from the S3 storage to the Raft backend.
Returns the backup ID.
params:
backup-id:
type: string
description: >-
Backup ID to restore.
required: [backup-id]
config:
options:
default_lease_ttl:
type: string
default: "168h"
description: Specifies the default lease duration for Vault's tokens and secrets.
max_lease_ttl:
type: string
default: "720h"
description: Specifies the maximum possible lease duration for Vault's tokens and secrets.
common_name:
type: string
description: |
The common name that will be used by Vault as an intermediate CA. This will only be used when the charm is
configured to use a Vault PKI backend through the `vault-pki` relation.
The charm will only issue certificates for the subdomains under the `common_name` specified.