Giter Site home page Giter Site logo

charm-interface-vault-kv's Introduction

Overview

This interface handles the communication with the vault charm using the vault-kv interface type.

Vault will enable simple KV based secrets backends with AppRole based authentication and policies to allow consuming charms to store and retrieve secrets in Vault.

Access to the backend will be limited to the network address binding of of the relation endpoint name and ownership of a secret_id which the consuming application must retrieve using a one-shot token out-of-band from Juju.

Usage

Requires

The interface layer will set the following reactive states, as appropriate:

  • {relation_name}.connected The relation is established and ready for the local charm to make a request for access to a secrets backend using the request_secret_backend method.

  • {relation_name}.available When vault has created the backend and an associated AppRole to allow the local charm to store and retrieve secrets in vault - the vault_url and unit_role_id properties will be set.

For example:

from charms.reactive.flags import endpoint_from_flag

 @when('secrets-storage.connected')
 def ss_connected():
 	secrets = endpoint_from_flag('secrets-storage.connected')
 	secrets.request_secret_backend('charm-vaultlocker', isolated=True)


 @when('secrets-storage.available')
 def ss_ready_for_use():
 	secrets = endpoint_from_flag('secrets-storage.connected')
 	configure_my_local_service(
 		vault_url=secrets.vault_url,
 		role_id=secrets.unit_role_id,
        secret_id=vault.get_response(secrets.unit_token),
 		backend='charm-vaultlocker',
 	)

Interface Schema Details

  • Initiates the kv-store requesting a secrets backend by sending:

    • str - secret_backend

      Note that the backend name must be prefixed with 'charm-' otherwise the vault charm will skip creation of the secrets backend and associated access.

    • str - unit_name

      formatted by the requirer as '$model-uuid:$unit-name' using a '-' to delimit between the model-uuid and the juju unit-name

    • str - access_address

      ip address used to gain access this kv-store, will be associated as a CIDR with netmask /32 with the authorized vault token when isolated

    • str - hostname

      Creates an approle with a policy associated with this unit's hostname.

    • bool - isolated (defaults: True )

      • True - sets the policy on the secret to SECRET_BACKEND_HCL
      • False - sets the policy on the secret to SECRET_BACKEND_SHARED_HCL

charm-interface-vault-kv's People

Contributors

javacruft avatar fnordahl avatar addyess avatar dosaboy avatar johnsca avatar ajkavanagh avatar thedac avatar freyes avatar

Watchers

avatar avatar avatar James Cloos avatar Corey Bryant avatar Liam Young avatar

Forkers

charmed-kubernetes dosaboy johnsca tpsilva gnuoy thedac

charm-interface-vault-kv's Issues

Hook error if two apps with same name are related via CMR

I think there's a conflict in the key the interface layer is choosing to identify the secrets backend for the requester. If you have one app related and working, then via CMR relate another app with the same name, the second one goes to working but with has the secrets from the first app and the first app subsequently breaks with:

Traceback (most recent call last):
  File "/var/lib/juju/agents/unit-vk-test-0/.venv/lib/python3.8/site-packages/charms/reactive/__init__.py", line 73, in main
    hookenv._run_atstart()
  File "/var/lib/juju/agents/unit-vk-test-0/.venv/lib/python3.8/site-packages/charmhelpers/core/hookenv.py", line 1334, in _run_atstart
    callback(*args, **kwargs)
  File "/var/lib/juju/agents/unit-vk-test-0/charm/reactive/vault_kv.py", line 48, in manage_app_kv_flags
    app_kv = vault_kv.VaultAppKV()
  File "lib/charms/layer/vault_kv.py", line 30, in __call__
    cls._singleton_instance = super().__call__(*args, **kwargs)
  File "lib/charms/layer/vault_kv.py", line 117, in __init__
    super().__init__()
  File "lib/charms/layer/vault_kv.py", line 38, in __init__
    response = self._client.read(self._path)
  File "lib/charms/layer/vault_kv.py", line 54, in _client
    client.auth_approle(self._config['role_id'], self._config['secret_id'])
  File "/var/lib/juju/agents/unit-vk-test-0/.venv/lib/python3.8/site-packages/hvac/v1/__init__.py", line 1523, in auth_approle
    return self.login('/v1/auth/{0}/login'.format(mount_point), json=params, use_token=use_token)
  File "/var/lib/juju/agents/unit-vk-test-0/.venv/lib/python3.8/site-packages/hvac/v1/__init__.py", line 1276, in login
    return self._adapter.login(
  File "/var/lib/juju/agents/unit-vk-test-0/.venv/lib/python3.8/site-packages/hvac/adapters.py", line 178, in login
    response = self.post(url, **kwargs)
  File "/var/lib/juju/agents/unit-vk-test-0/.venv/lib/python3.8/site-packages/hvac/adapters.py", line 107, in post
    return self.request('post', url, **kwargs)
  File "/var/lib/juju/agents/unit-vk-test-0/.venv/lib/python3.8/site-packages/hvac/adapters.py", line 342, in request
    response = super(JSONAdapter, self).request(*args, **kwargs)
  File "/var/lib/juju/agents/unit-vk-test-0/.venv/lib/python3.8/site-packages/hvac/adapters.py", line 304, in request
    utils.raise_for_error(
  File "/var/lib/juju/agents/unit-vk-test-0/.venv/lib/python3.8/site-packages/hvac/utils.py", line 47, in raise_for_error
    raise exceptions.InternalServerError(message, errors=errors, method=method, url=url)
hvac.exceptions.InternalServerError: failed to verify subset relationship between CIDR blocks on the role ["10.146.199.80/32"] and CIDR blocks on the secret ID ["10.146.199.221/32"]: <nil>, on post http://10.146.199.125:8200/v1/auth/approle/login

TypeError: must be str, not set on call to VaultKVRequires.endpoint_address()

There appears to be a typo in the requires part of this interface:

2018-10-16 13:30:14 ERROR juju-log secrets-storage:11: Hook error:
Traceback (most recent call last):
  File "/var/lib/juju/agents/unit-barbican-vault-0/.venv/lib/python3.6/site-packages/charms/reactive/__init__.py", line 73, in main
    bus.dispatch(restricted=restricted_mode)
  File "/var/lib/juju/agents/unit-barbican-vault-0/.venv/lib/python3.6/site-packages/charms/reactive/bus.py", line 390, in dispatch
    _invoke(other_handlers)
  File "/var/lib/juju/agents/unit-barbican-vault-0/.venv/lib/python3.6/site-packages/charms/reactive/bus.py", line 359, in _invoke
    handler.invoke()
  File "/var/lib/juju/agents/unit-barbican-vault-0/.venv/lib/python3.6/site-packages/charms/reactive/bus.py", line 181, in invoke
    self._action(*args)
  File "/var/lib/juju/agents/unit-barbican-vault-0/charm/reactive/barbican_vault_handlers.py", line 38, in ssc
    secrets_storage.request_secret_backend('charm-barbican-vault')
  File "/var/lib/juju/agents/unit-barbican-vault-0/charm/hooks/relations/vault-kv/requires.py", line 59, in request_secret_backend
    relation.to_publish['access_address'] = self.endpoint_address
  File "/var/lib/juju/agents/unit-barbican-vault-0/charm/hooks/relations/vault-kv/requires.py", line 45, in endpoint_address
    self.expand_name({'endpoint_name'})
  File "/var/lib/juju/agents/unit-barbican-vault-0/.venv/lib/python3.6/site-packages/charms/reactive/endpoints.py", line 190, in expand_name
    flag = 'endpoint.{endpoint_name}.' + flag
TypeError: must be str, not set

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.