authorize-charm:
  description: Authorize the vault charm to interact with vault
  properties:
    token:
      type: string
      description: Token to use to authorize charm
  required:
  - token
refresh-secrets:
  description: Refresh secret_id's and re-issue retrieval tokens for secrets endpoints
get-csr:
  description: >-
     Get intermediate CA csr (DEPRECATED Please use regenerate-intermediate-ca).
     WARNING Current certificates will be invalidated and will be recreated after the CSR is signed and uploaded.
  properties:
    # Depending on the configuration of CA that will sign the CSRs it
    # may be necessary to ensure these fields match the CA
    country:
      type: string
      description: >-
        The C (Country) values in the subject field of the CSR
    province:
      type: string
      description: >-
        The ST (Province) values in the subject field of the CSR.
    organization:
      type: string
      description: >-
        The O (Organization) values in the subject field of the CSR.
    organizational-unit:
      type: string
      description: >-
        The OU (OrganizationalUnit) values in the subject field of the CSR.
    common-name:
      type: string
      description: >-
        The CN (Common Name) values in the subject field of the CSR.
    locality:
      type: string
      description: >-
        The L (Locality) values in the subject field of the CSR.
    force:
      type: boolean
      default: False
      description: >-
        Requesting a new CSR and remove the existing intermediate CA
regenerate-intermediate-ca:
  description: >-
     Create a new intermediate CA and return a csr for it
     WARNING Current certificates will be invalidated and will be recreated after the CSR is signed and uploaded.
  properties:
    # Depending on the configuration of CA that will sign the CSRs it
    # may be necessary to ensure these fields match the CA
    country:
      type: string
      description: >-
        The C (Country) values in the subject field of the CSR
    province:
      type: string
      description: >-
        The ST (Province) values in the subject field of the CSR.
    organization:
      type: string
      description: >-
        The O (Organization) values in the subject field of the CSR.
    organizational-unit:
      type: string
      description: >-
        The OU (OrganizationalUnit) values in the subject field of the CSR.
    common-name:
      type: string
      description: >-
        The CN (Common Name) values in the subject field of the CSR.
    locality:
      type: string
      description: >-
        The L (Locality) values in the subject field of the CSR.
    force:
      type: boolean
      default: False
      description: >-
        Requesting a new CSR and remove the existing intermediate CA
upload-signed-csr:
  description: Upload a signed csr to vault
  properties:
    pem:
      type: string
      description: base64 encoded certificate
    allow-subdomains:
      type: boolean
      default: True
      description: >-
        Specifies if clients can request certificates with
    enforce-hostnames:
      type: boolean
      default: False
      description: >-
        Specifies if only valid host names are allowed
        for CNs, DNS SANs, and the host part of email addresses.
    allow-any-name:
      type: boolean
      default: True
      description: >-
        Specifies if clients can request any CN
    max-ttl:
      type: string
      default: '8760h'
      description: >-
        Specifies the maximum Time To Live
    crl-distribution-point:
      type: string
      default: ''
      description: >-
        Provide an alternative URL for the Certificate Revocation List (CRL) distribution point that is included
        in all certificates issued by Vault. This relies on an external process to synchronise certificates
        revoked in Vault to this external distribution point and should only be used when the Vault infrastructure is not
        generally accessible to client endpoints used to access services secured by the Vault Intermediate CA. 
    root-ca:
      type: string
      description: >-
        The certificate of the root CA which will be passed out to client on
        the certificate relation along with the intermediate CA cert
  required:
  - pem
reissue-certificates:
  description: Reissue certificates to all clients
generate-root-ca:
  description: Generate a self-signed root CA
  properties:
    ttl:
      type: string
      default: '87599h'
      description: >-
        Specifies the Time To Live for the root CA certificate
    allow-any-name:
      type: boolean
      default: True
      description: >-
        Specifies if clients can request certificates for any CN.
    allowed-domains:
      type: array
      items:
        type: string
      default: []
      description: >-
        Restricted list of CNs for which the root CA may issue certificates.
        If domains are provided, allow-any-name should be set to false.
    allow-bare-domains:
      type: boolean
      default: False
      description: >-
        Specifies whether clients can request certificates exactly matching
        the CNs in allowed-domains.
    allow-subdomains:
      type: boolean
      default: False
      description: >-
        Specifies whether clients can request certificates for subdomains of
        the CNs in allowed-domains, including wildcard subdomains.
    allow-glob-domains:
      type: boolean
      default: True
      description: >-
        Specifies whether CNs in allowed-domains can contain glob patterns
        (e.g., 'ftp*.example.com'), in which case clients will be able to
        request certificates for any CN matching the glob pattern.
    enforce-hostnames:
      type: boolean
      default: False
      description: >-
        Specifies if only valid host names are allowed
        for CNs, DNS SANs, and the host part of email addresses.
    max-ttl:
      type: string
      default: '8760h'
      description: >-
        Specifies the maximum Time To Live for generated certificates.
get-root-ca:
  description: Get the root CA certificate
disable-pki:
  description: >-
    Disable the PKI secrets backend. This is needed if you wish to switch the
    CA type after being set up via either upload-signed-csr or
    generate-root-ca.
pause:
  description: Pause the vault unit. This stops the vault service.
resume:
  description: >-
    Resume the vault unit. This starts the vault service. Vault will become
    sealed.
restart:
  description: Restarts the vault unit. Vault will become sealed.
reload:
  description: >-
    Reloads the vault unit. This allows for limited configuration options to be
    re-read. Vault will not become sealed.
generate-certificate:
  description: Generate a certificate agains the Vault PKI
  properties:
    ttl:
      type: string
      default: 87599h
      description: >-
        Specifies the Time To Live for the certificate
    common-name:
      type: string
      description: >-
        CN field of the new certificate
    sans:
      type: string
      description: >-
        Space delimited list of Subject Altername Name/IP addresse(s)
    max-ttl:
      type: string
      default: 8760h
      description: >-
        Specifies the maximum Time To Live for generated certificates.
raft-state:
  description: >-
    Get the raft cluster state.
raft-bootstrap-node:
  description: >-
    If and only if quorum is permanently lost
    (ie. impossible to recover enough nodes to reach quorum),
    then use this action on a single unit to re-bootstrap the raft cluster
    from this node.  Remove all other units before running this.
    This runs the procedure documented at
    https://support.hashicorp.com/hc/en-us/articles/360050756393