vault #73

  • By james-page
  • Latest version (#73)
  • xenial, bionic, cosmic
  • Stable

Description

Vault secures, stores, and tightly controls access to
tokens, passwords, certificates, API keys, and other
secrets in modern computing. Vault handles leasing, key
revocation, key rolling, and auditing. Through a unified
API, users can access an encrypted Key/Value store and
network encryption-as-a-service, or generate AWS IAM/STS
credentials, SQL/NoSQL databases, X.509 certificates,
SSH credentials, and more.


Overview

Vault secures, stores, and tightly controls access to tokens,
passwords, certificates, API keys, and other secrets in modern
computing. Vault handles leasing, key revocation, key rolling, and
auditing. Through a unified API, users can access an encrypted
Key/Value store and network encryption-as-a-service, or generate
AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates,
SSH credentials, and more.

About the Charm

This charm installs Vault from the Ubuntu Snap Store and
supports the PostgreSQL and MySQL storage backends. Note that Vault itself
does not support PostgreSQL 10, so neither does this charm. If you're
deploying on bionic, you'll need to deploy a 9.x version of PostgreSQL.

After deploying and relating the charm to postgresql, install
the vault snap locally and use "vault init" to create the
master key shards and the root token, and store them safely.

Network Spaces support

The vault charm directly supports network binding via the 'access'
extra-binding and the 'cluster' peer relation. These allow the Vault
API and inter-unit Cluster addresses to be configured using Juju
network spaces.

Configuration

nagios_servicegroups
(string) Comma separated list of nagios servicegroups for the service checks.
totally-unsecure-auto-unlock
(boolean) FOR TESTING ONLY. Initialise vault after deployment and store the keys locally.
snap_proxy
(string) HTTP/HTTPS web proxy for Snappy to use when accessing the snap store.
disable-mlock
(boolean) Set this option only if you are deploying to an environment that does not support the mlock(2) system call. When this option is set, vault will be unable to prevent secrets from being paged out, so use it with extreme caution.
nagios_context
(string) A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-myservice-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
juju
dns-ha-access-record
(string) DNS record to use for DNS HA with MAAS. Do not use vip setting if this is set.
snap_proxy_url
(string) The address of a Snap Store Proxy to use for snaps e.g. http://snap-proxy.example.com
auto-generate-root-ca-cert
(boolean) Once unsealed, automatically generate a self-signed root CA rather than waiting for an action to be called to either generate one or process a signing request to act as an intermediary CA. Note that this will use all default values for the root CA cert. If you want to adjust those values, you should use the generate-root-ca action instead.
ssl-chain
(string) The SSL chain certificate, base64-encoded.
ssl-ca
(string) The SSL Root CA certificate, base64-encoded.
vip
(string) Virtual IP to use api traffic
snapd_refresh
(string) How often snapd handles updates for installed snaps. The default (an empty string) is 4x per day. Set to "max" to check once per month based on the charm deployment date. You may also set a custom string as described in the 'refresh.timer' section here: https://forum.snapcraft.io/t/system-options/87
ssl-cert
(string) The SSL certificate, base64-encoded.
channel
(string) The snap channel to install from.
stable
ssl-key
(string) The SSL key, base64-encoded.