openstack
/
charm-vault
Code Issues Proposed changes
charm-vault/src
History
Liam Young 8c2b0de032 Revert to v3 etcd api but skip TLS verification 
Using the etcd v3 api causes vault to suffer from bug
https://github.com/hashicorp/vault/issues/4961. But v2 has its own
issues *1. This patch switches back to using the v3 api but disables
vault from perfomring TLS certificate checks against the etcd
cluster. Given that the charm deployed vault only uses etcd to store
a token for HA and that token is inturn encrypted by vault it does
not seem a significant security risk.

*1 As Dmitrii Shcherbakov noted, the vault documentation
expresses reservations about the v2 api:

https://www.vaultproject.io/docs/configuration/storage/etcd.html
"the Etcd storage backend supports high availability. The v2 API has
known issues with HA support and should not be used in HA scenarios."

Change-Id: I204bcdbfbc7ed2084542fca7781f1bd802bdb77a
 		2018-09-07 14:51:33 +01:00
..
actions Add support for tls-certificates interface 2018-06-06 08:18:30 +00:00
files/nagios Vault version in snap store may not start with 'v' 2018-06-14 13:51:25 +00:00
lib/charm Add support for tls-certificates interface 2018-06-06 08:18:30 +00:00
reactive Protect against empty request health check 2018-07-11 13:09:52 -07:00
templates Revert to v3 etcd api but skip TLS verification 2018-09-07 14:51:33 +01:00
tests Reformat tests.yaml via python yaml 2018-07-16 21:36:02 -04:00
README.md Add basic network spaces support 2018-04-19 11:54:55 +01:00
actions.yaml Add support for tls-certificates interface 2018-06-06 08:18:30 +00:00
config.yaml auto-unlock: make things clear about security 2018-05-08 14:34:54 +01:00
copyright Restructure charm to follow src dir format 2018-02-19 10:19:09 +00:00
icon.svg Add icon 2018-04-18 15:05:28 +01:00
layer.yaml Add support for tls-certificates interface 2018-06-06 08:18:30 +00:00
metadata.yaml Update series metadata 2018-07-11 14:08:11 -05:00
test-requirements.txt Add functional tests 2018-04-12 11:20:16 +00:00
tox.ini Add support for using a vip for access 2018-04-17 14:48:23 +00:00
wheelhouse.txt Add support for tls-certificates interface 2018-06-06 08:18:30 +00:00

README.md

Overview

Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.

About the Charm

This charm installs Vault from the Ubuntu Snap Store and supports the PostgreSQL and MySQL storage backends. Note that Vault itself does not support PostgreSQL 10, so neither does this charm. If you're deploying on bionic, you'll need to deploy a 9.x version of PostgreSQL.

After deploying and relating the charm to postgresql, install the vault snap locally and use "vault init" to create the master key shards and the root token, and store them safely.

Network Spaces support

The vault charm directly supports network binding via the 'access' extra-binding and the 'cluster' peer relation. These allow the Vault API and inter-unit Cluster addresses to be configured using Juju network spaces.