f461c5ad1d
upload-sign-csr action fails if the TTL is shorter than the default
value of default-ttl. Further change in the default-ttl value via
juju config command (to set proper default-ttl) results in the unit
to go to error state.
The flag certificates.reissue.global.requested which is set during the
upload-sign-csr action resulted in matching publish_global_client_cert
handler for any config changes. Since the invocation of handlers is
random in reactive framework, the unit goes to error state whenever the
publish_global_client_cert handler is invoked before the handler
tune_pki_backend_config_changed.
This patch blocks the execution of publish_global_client_cert handler
during any configuration change.
Change-Id: I60f0e1aad13380a4449e5d4b56840954cc7e81a9
Closes-Bug: #1885576
(cherry picked from commit a38bf7cbd2)
Overview
Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted key/value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.
The charm installs Vault from a snap.
Usage
Configuration
This section covers common configuration options. See file config.yaml for
the full list of options, along with their descriptions and default values.
channel
The channel option sets the snap channel to use for deployment (e.g.
'latest/edge'). The default value is 'latest/stable'.
Deployment
Deploy a single vault unit in this way:
juju deploy vault
Then relate it to either MySQL or PostgreSQL.
For MySQL 5:
juju add-relation vault:shared-db percona-cluster:shared-db
For MySQL 8:
juju deploy mysql-router vault-mysql-router
juju add-relation vault-mysql-router:db-router mysql-innodb-cluster:db-router
juju add-relation vault-mysql-router:shared-db vault:shared-db
For PostgreSQL, its version and the underlying machine series must be
compatible (e.g. 9.5/xenial or 10/bionic). Use configuration option version
with the postgresql charm to select a version. For example,
on Xenial:
juju deploy --config version=9.5 --series xenial postgresql
juju add-relation vault:db postgresql:db
Post-deployment tasks
Once the vault application is deployed the following tasks must be performed:
- Vault initialisation
- Unsealing of Vault
- Charm authorisation
These tasks are covered in appendix Vault of the OpenStack Charms Deployment Guide.
Actions
This section lists Juju actions supported by the charm. Actions allow specific operations to be performed on a per-unit basis.
authorize-charmdisable-pkigenerate-root-caget-csrget-root-capauserefresh-secretsreissue-certificatesresumeupload-signed-csr
To display action descriptions run juju actions vault. If the charm
is not deployed then see file actions.yaml.
Bugs
Please report bugs on Launchpad.
For general charm questions refer to the OpenStack Charm Guide.