Skip to content

Commit

Permalink
feat: add ca_certificate field in vault-kv relation (#105)
Browse files Browse the repository at this point in the history
Vault-k8s has been refactored to always have TLS enabled. The
CA certificate is needed to validate the vault server's identity.

Co-authored-by: Simon Aronsson <[email protected]>
  • Loading branch information
gboutry and simskij authored Sep 21, 2023
1 parent 46b4016 commit 40b2864
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 4 deletions.
6 changes: 6 additions & 0 deletions docs/json_schemas/vault_kv/v0/provider.json
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,11 @@
"description": "The KV mount available for the requirer application, respecting the pattern 'charm-<requirer app>-<user provided suffix>'.",
"type": "string"
},
"ca_certificate": {
"title": "Ca Certificate",
"description": "The CA certificate to use when validating the Vault server's certificate.",
"type": "string"
},
"credentials": {
"title": "Credentials",
"description": "Mapping of unit name and credentials for that unit. Credentials are a juju secret containing a 'role-id' and a 'role-secret-id'.",
Expand All @@ -45,6 +50,7 @@
"required": [
"vault_url",
"mount",
"ca_certificate",
"credentials"
]
}
Expand Down
30 changes: 26 additions & 4 deletions interfaces/vault_kv/v0/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Some charms require a secure key value store. This relation interface describes
```mermaid
flowchart TD
Requirer -- mount_suffix, nonce, egress_subnet --> Provider
Provider -- vault_url, mount, credentials --> Requirer
Provider -- vault_url, ca_certificate, mount, credentials --> Requirer
```

## Behavior
Expand All @@ -20,10 +20,11 @@ Both the Requirer and the Provider need to adhere to criteria to be considered c

Provider expectations

- Is expected to provide the vault url
- Is expected to provide the vault url.
- Is expected to provide a ca certificate used to validate the vault server's certificate.
- Is expected to provide a key value mount, the mount name shall respect the following pattern: `charm-<requirer app>-<requirer provided suffix>`
- Is expected to create an approle restricted to the requiring unit's egress subnet.
- Is expected to create a Juju secret containing a role-id and role-secret-id for each unit
- Is expected to create a Juju secret containing a role-id and role-secret-id for each unit.
- Is expected to provide the Juju secret ID in the relation data, identified by the unit's nonce.
- Is expected to have out of date credentials when requirer unit's identity change, for some unspecified amount of time
until new credentials have been generated. For example, during an upgrade-charm event.
Expand All @@ -32,7 +33,7 @@ Provider expectations

Requirer expectations

- Is expected to provide a mount suffix
- Is expected to provide a mount suffix.
- Is expected to provide an egress subnet for each unit requiring access to the vault key value store.
The unit's egress_subnet shall be used to restrict access to the secret backend.
- Is expected to provide a nonce, i.e. a string uniquely identifying the unit.
Expand All @@ -48,6 +49,27 @@ provider:
app:
vault_url: http://10.152.183.104:8200
mount: charm-barbican-secrets # in case of CMR, mount will look like `charm-remote-fd7bc6a8c2d54d748ec3822da5abf0bc-secrets`
ca_certificate: |
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIUSV4nLL94rCgtxIHB1kyCDh2SBnkwDQYJKoZIhvcNAQEL
BQAwLDELMAkGA1UEBhMCVVMxHTAbBgNVBAMMFFZhdWx0IHNlbGYgc2lnbmVkIENB
MCAXDTIzMDkxNTEzMzAzM1oYDzIwNzMwOTAyMTMzMDMzWjAsMQswCQYDVQQGEwJV
UzEdMBsGA1UEAwwUVmF1bHQgc2VsZiBzaWduZWQgQ0EwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC1Odkv2Yv6PoDTT4VPO8EGwlhmbkYib4VbxZVCxQe/
1qp4IDDKwN4PXnmCbfg/Ri+A8C9CQZirVam0zIxqQJ2fe0EKBO7y7BM8HrhWPh2p
3oWV3mi8qm1frQvjpWK859oQMFzDkaKGLHIADwi8pr7wLlyUAlGZ6s/aKAtAkRUZ
fLpUkMpSuoBT/3JgbvQOk9QQS+I0lLsaPxE4KV1kfuH/EdAgiMeqj0Y2Cj0t0ZBG
ZWt6jOFRffZbDmV/P2Vl0Oc7dJFfluWTy+3GA+AMlaNOVR1xdtmSot+W9dZR7rHp
dCGeulRjm79DgkCBZ8XNGUDSd5kBv4dkNVXtY24ZCP45AgMBAAGjVzBVMB8GA1Ud
DgQYBBYEFKbR1+Rgj49n7dHWsrsF+US8FI2GMCEGA1UdIwQaMBiAFgQUptHX5GCP
j2ft0dayuwX5RLwUjYYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAjFZKJQ/Vo1TtPBfD3A+3NI0jbjEt7i2+ERHfrDSAVZEuV10X7Red/YRd+lup
rPwgZr1Fg5/dDwiILwOcQz39Qq3u6BFChjH47Oz4krcG5uv6VTrDwhSnmV5gzTia
hXR6SET/yOwwoM6AWRsvjZQ0jCdRcvd5e+rafM27jXRBO0/F9XQGc3Dn5WM0TalC
S293oLoL3epU0X36FFRVWMVOCPBVzUS0eRrL90gTWxBNEw4YPyxIZD1+0uhUdJum
q9IJGysn/ETTPHj83pM+Dgr3+3rP8NP3OF81eKi87nGyrY+HtzlKUTCYymyeCUqK
CnYvDG4IK/MIkjgiBBTS7diP/A==
-----END CERTIFICATE-----
credentials: |
{
"3081279da89c48a32923473c2c587019": "secret://4f7cc474-a23d-49a2-8b6e-9835c1e08325/cjk5slcrl3uc767oebp0",
Expand Down
3 changes: 3 additions & 0 deletions interfaces/vault_kv/v0/schema.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ class VaultKvProviderSchema(BaseModel):
"respecting the pattern 'charm-<requirer app>-<user provided suffix>'."
)
)
ca_certificate: str = Field(
description="The CA certificate to use when validating the Vault server's certificate."
)
credentials: Json[Mapping[str, str]] = Field(
description=(
"Mapping of unit name and credentials for that unit."
Expand Down

0 comments on commit 40b2864

Please sign in to comment.