diff --git a/docs/json_schemas/vault_kv/v0/provider.json b/docs/json_schemas/vault_kv/v0/provider.json index aabed54b..6ea6b908 100644 --- a/docs/json_schemas/vault_kv/v0/provider.json +++ b/docs/json_schemas/vault_kv/v0/provider.json @@ -56,9 +56,9 @@ "description": "The URL of the Vault server to connect to.", "type": "string" }, - "kv_mountpoint": { - "title": "Kv Mountpoint", - "description": "The mountpoint of the KV store to use.", + "mount": { + "title": "Mount", + "description": "The KV mount available for the requirer application.", "type": "string" }, "credentials": { @@ -73,7 +73,7 @@ }, "required": [ "vault_url", - "kv_mountpoint", + "mount", "credentials" ] } diff --git a/docs/json_schemas/vault_kv/v0/requirer.json b/docs/json_schemas/vault_kv/v0/requirer.json index 7238fd04..fc30ca62 100644 --- a/docs/json_schemas/vault_kv/v0/requirer.json +++ b/docs/json_schemas/vault_kv/v0/requirer.json @@ -30,9 +30,9 @@ "title": "AppVaultKvProviderSchema", "type": "object", "properties": { - "secret_backend": { - "title": "Secret Backend", - "default": "The name of the secret backend to use.", + "mount_suffix": { + "title": "Mount Suffix", + "default": "Suffix to append to the mount name to get the KV mount.", "type": "string" } } diff --git a/interfaces/vault_kv/v0/README.md b/interfaces/vault_kv/v0/README.md index 63a17670..be39b278 100644 --- a/interfaces/vault_kv/v0/README.md +++ b/interfaces/vault_kv/v0/README.md @@ -8,8 +8,8 @@ Some charms require a secure key value store. This relation interface describes ```mermaid flowchart TD - Requirer -- secret_backend, egress_subnet --> Provider - Provider -- vault_url, kv_mountpoint, credentials --> Requirer + Requirer -- mount_suffix, egress_subnet --> Provider + Provider -- vault_url, mount, credentials --> Requirer ``` ## Behavior @@ -21,20 +21,18 @@ Both the Requirer and the Provider need to adhere to criteria to be considered c Provider expectations - Must provide the vault url -- Must provide a key value mountpoint +- Must provide a key value mount, the mount name shall respect the following pattern: charm-- - Must provide a role_id and role_secret_id for each unit, with access protected by unit's egress_subnet ### Requirer Requirer expectations -- Must provide a secret backend name, which must start with "charm-" +- Must provide a mount suffix - Must provide an egress subnet for each unit used to protect access to the secret backend ## Relation Data -Describe the contents of the databags, and provide schemas for them. - [\[Pydantic Schema\]](./schema.py) #### Example @@ -43,7 +41,7 @@ Describe the contents of the databags, and provide schemas for them. provider: app: vault_url: http://10.152.183.104:8200 - kv_mountpoint: charm-barbican + mount: charm-barbican-secrets credentials: | { "barbican-0": { @@ -58,7 +56,7 @@ provider: unit: {} requirer: app: - secret_backend: charm-barbican + mount_suffix: secrets unit: barbican-0: egress_subnet: 10.1.166.206/32 diff --git a/interfaces/vault_kv/v0/schema.py b/interfaces/vault_kv/v0/schema.py index 68cca6c6..7f1eac37 100644 --- a/interfaces/vault_kv/v0/schema.py +++ b/interfaces/vault_kv/v0/schema.py @@ -25,14 +25,14 @@ class CredentialsSchema(BaseModel): class VaultKvProviderSchema(BaseModel): vault_url: str = Field(description="The URL of the Vault server to connect to.") - kv_mountpoint: str = Field(description="The mountpoint of the KV store to use.") + mount: str = Field(description="The KV mount available for the requirer application.") credentials: Json[CredentialsSchema] = Field( description="The credentials to use to authenticate to Vault." ) class AppVaultKvProviderSchema(BaseModel): - secret_backend: str = Field("The name of the secret backend to use.") + mount_suffix: str = Field("Suffix to append to the mount name to get the KV mount.") class UnitVaultKvRequirerSchema(BaseModel):