~barryprice/vault-charm/+git/vault-charm:master

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

d04f2e2... by Barry Price on 2018-06-01

Return the snap version regardless of its prefix

9c78a51... by Zuul <email address hidden> on 2018-05-15

Merge "Use secret_id's with vault-kv relation"

ea1910f... by James Page on 2018-05-14

Disable mlock when running in containers

Its not possible to use mlock when running vault inside a
container; automatically disable vault mlock when this is
detected.

mlock status is now always reflected in juju status output
for full transparency.

Change-Id: I57cf1d19e2783ec41e2d37cb4300a55828212cc3

30a3a2f... by James Page on 2018-05-08

auto-unlock: Use correct key for root token

Align retrieval name for auto-unlocked root token with consuming
code, fixing issues with auto-unlock mode.

Store local charm access approle id for subsequent charm use.

Change-Id: Ie50a46db2f6a5f7a5a181372743e1c03d7868778

dbbf4d9... by James Page on 2018-05-08

auto-unlock: make things clear about security

Rename auto-unlock configuration option to make things clear to
CLI users that this really is a totally unsecure deployment
option!

Change-Id: I47726c65698bea1c35766d5c3ef16befad8ec72d

3b0e793... by James Page on 2018-05-04

Use secret_id's with vault-kv relation

In order to tighten the security around access to secrets stored
in a Vault KV secrets backend, generate a secret_id for each
accessing unit, using a response wrapping token which is passed
over the relation to the consuming application.

The consuming application will then use this token out-of-band of
Juju to retrieve the secret_id associated with the AppRole ID
directly from Vault.

Add a new action 'refresh-secrets' to force a renewal of secret_id's
and associated one-shot retrieval tokens across a deployment.

A token is only issued when a new approle is created or when
a refresh is initiated via the 'refresh-secrets' action.

Change-Id: I2cd173514377d65542ea4fa67ccf700ea4b6ab89

28fb89a... by James Page on 2018-04-20

Add support for new secrets:vault-kv interface

Provide implementation for the provides endpoint of the vault-kv
typed interface.

This interface type will setup a KV secret backend and create an
approle and policy to allow remote services to access the backend
using the Vault API.

Backends may be shared between remote units, allowing any unit to
access any value in the backend, or may be isolated between units
based on path suffixing using the units hostname so that stored
secrets are not visible between units of a deployment.

Change-Id: Id8fa1cbe33feccc9c2f06a61db22453d7830730d

34714a9... by James Page on 2018-04-26

Misc tidy post major changes

Restore setting of flag 'configured' once vault has had an initial
configuration set.

Drop @when_not('configured') as we always want to rewrite the
vault configuration file - but we only restart it when its changed
now!

Drop handlers for etcd states - really not needed as configuration
is not longer guarded with @when_not('configured').

Add missing patch for service enable call in configure function.

Change-Id: Ia335c3a711cf371c42483ae86980b256a07ad21d

cb5c243... by Liam Young on 2018-04-20

Add auto-unlock option

The auto-unlock option intialises vault and stores the keys and
root token in the leadership database. This option should
only be used in testing as it is probably undesirable to
store the vault keys in the leader db from a security pov.

Change-Id: I10ec2f009920acf47f5353f6f947520514350bc0

5d16f80... by Liam Young on 2018-03-29

Add action to allow charm to make calls to vault

Add an action which can be run after vault has been manually
initialised and unsealed. The action creates a role that allows
localhost calls.

Change-Id: I042b49248db32e6e9a7814c74d8c25939918d0ce