From 40b2864d133a045b4f9b7c5b6612654002926c72 Mon Sep 17 00:00:00 2001 From: Guillaume Boutry Date: Thu, 21 Sep 2023 16:03:51 +0200 Subject: [PATCH] feat: add ca_certificate field in vault-kv relation (#105) Vault-k8s has been refactored to always have TLS enabled. The CA certificate is needed to validate the vault server's identity. Co-authored-by: Simon Aronsson --- docs/json_schemas/vault_kv/v0/provider.json | 6 +++++ interfaces/vault_kv/v0/README.md | 30 ++++++++++++++++++--- interfaces/vault_kv/v0/schema.py | 3 +++ 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/docs/json_schemas/vault_kv/v0/provider.json b/docs/json_schemas/vault_kv/v0/provider.json index 4b03a04b..b159b8e9 100644 --- a/docs/json_schemas/vault_kv/v0/provider.json +++ b/docs/json_schemas/vault_kv/v0/provider.json @@ -33,6 +33,11 @@ "description": "The KV mount available for the requirer application, respecting the pattern 'charm--'.", "type": "string" }, + "ca_certificate": { + "title": "Ca Certificate", + "description": "The CA certificate to use when validating the Vault server's certificate.", + "type": "string" + }, "credentials": { "title": "Credentials", "description": "Mapping of unit name and credentials for that unit. Credentials are a juju secret containing a 'role-id' and a 'role-secret-id'.", @@ -45,6 +50,7 @@ "required": [ "vault_url", "mount", + "ca_certificate", "credentials" ] } diff --git a/interfaces/vault_kv/v0/README.md b/interfaces/vault_kv/v0/README.md index 65ad9d54..24b7dbe3 100644 --- a/interfaces/vault_kv/v0/README.md +++ b/interfaces/vault_kv/v0/README.md @@ -9,7 +9,7 @@ Some charms require a secure key value store. This relation interface describes ```mermaid flowchart TD Requirer -- mount_suffix, nonce, egress_subnet --> Provider - Provider -- vault_url, mount, credentials --> Requirer + Provider -- vault_url, ca_certificate, mount, credentials --> Requirer ``` ## Behavior @@ -20,10 +20,11 @@ Both the Requirer and the Provider need to adhere to criteria to be considered c Provider expectations -- Is expected to provide the vault url +- Is expected to provide the vault url. +- Is expected to provide a ca certificate used to validate the vault server's certificate. - Is expected to provide a key value mount, the mount name shall respect the following pattern: `charm--` - Is expected to create an approle restricted to the requiring unit's egress subnet. -- Is expected to create a Juju secret containing a role-id and role-secret-id for each unit +- Is expected to create a Juju secret containing a role-id and role-secret-id for each unit. - Is expected to provide the Juju secret ID in the relation data, identified by the unit's nonce. - Is expected to have out of date credentials when requirer unit's identity change, for some unspecified amount of time until new credentials have been generated. For example, during an upgrade-charm event. @@ -32,7 +33,7 @@ Provider expectations Requirer expectations -- Is expected to provide a mount suffix +- Is expected to provide a mount suffix. - Is expected to provide an egress subnet for each unit requiring access to the vault key value store. The unit's egress_subnet shall be used to restrict access to the secret backend. - Is expected to provide a nonce, i.e. a string uniquely identifying the unit. @@ -48,6 +49,27 @@ provider: app: vault_url: http://10.152.183.104:8200 mount: charm-barbican-secrets # in case of CMR, mount will look like `charm-remote-fd7bc6a8c2d54d748ec3822da5abf0bc-secrets` + ca_certificate: | + -----BEGIN CERTIFICATE----- + MIIDPzCCAiegAwIBAgIUSV4nLL94rCgtxIHB1kyCDh2SBnkwDQYJKoZIhvcNAQEL + BQAwLDELMAkGA1UEBhMCVVMxHTAbBgNVBAMMFFZhdWx0IHNlbGYgc2lnbmVkIENB + MCAXDTIzMDkxNTEzMzAzM1oYDzIwNzMwOTAyMTMzMDMzWjAsMQswCQYDVQQGEwJV + UzEdMBsGA1UEAwwUVmF1bHQgc2VsZiBzaWduZWQgQ0EwggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQC1Odkv2Yv6PoDTT4VPO8EGwlhmbkYib4VbxZVCxQe/ + 1qp4IDDKwN4PXnmCbfg/Ri+A8C9CQZirVam0zIxqQJ2fe0EKBO7y7BM8HrhWPh2p + 3oWV3mi8qm1frQvjpWK859oQMFzDkaKGLHIADwi8pr7wLlyUAlGZ6s/aKAtAkRUZ + fLpUkMpSuoBT/3JgbvQOk9QQS+I0lLsaPxE4KV1kfuH/EdAgiMeqj0Y2Cj0t0ZBG + ZWt6jOFRffZbDmV/P2Vl0Oc7dJFfluWTy+3GA+AMlaNOVR1xdtmSot+W9dZR7rHp + dCGeulRjm79DgkCBZ8XNGUDSd5kBv4dkNVXtY24ZCP45AgMBAAGjVzBVMB8GA1Ud + DgQYBBYEFKbR1+Rgj49n7dHWsrsF+US8FI2GMCEGA1UdIwQaMBiAFgQUptHX5GCP + j2ft0dayuwX5RLwUjYYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC + AQEAjFZKJQ/Vo1TtPBfD3A+3NI0jbjEt7i2+ERHfrDSAVZEuV10X7Red/YRd+lup + rPwgZr1Fg5/dDwiILwOcQz39Qq3u6BFChjH47Oz4krcG5uv6VTrDwhSnmV5gzTia + hXR6SET/yOwwoM6AWRsvjZQ0jCdRcvd5e+rafM27jXRBO0/F9XQGc3Dn5WM0TalC + S293oLoL3epU0X36FFRVWMVOCPBVzUS0eRrL90gTWxBNEw4YPyxIZD1+0uhUdJum + q9IJGysn/ETTPHj83pM+Dgr3+3rP8NP3OF81eKi87nGyrY+HtzlKUTCYymyeCUqK + CnYvDG4IK/MIkjgiBBTS7diP/A== + -----END CERTIFICATE----- credentials: | { "3081279da89c48a32923473c2c587019": "secret://4f7cc474-a23d-49a2-8b6e-9835c1e08325/cjk5slcrl3uc767oebp0", diff --git a/interfaces/vault_kv/v0/schema.py b/interfaces/vault_kv/v0/schema.py index 45059926..5762bcb1 100644 --- a/interfaces/vault_kv/v0/schema.py +++ b/interfaces/vault_kv/v0/schema.py @@ -20,6 +20,9 @@ class VaultKvProviderSchema(BaseModel): "respecting the pattern 'charm--'." ) ) + ca_certificate: str = Field( + description="The CA certificate to use when validating the Vault server's certificate." + ) credentials: Json[Mapping[str, str]] = Field( description=( "Mapping of unit name and credentials for that unit."