Last commit made on 2019-04-19
Get this branch:
git clone -b stable/18.05

Branch merges

Branch information


Recent commits

5df2842... by OpenDev Sysadmins <email address hidden>

OpenDev Migration Patch

This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at with any
questions you may have.

6383942... by Liam Young

Use v2 api when talking to etcd

Use the etcd v2 api when talking to vault because there is a bug
in the client which causes vault to be inaccessible if the first
etcd unit goes down.

Change-Id: Iadbfcb9998d029cc6cf599008c124960993acb4e
Closes-Bug: 1782620

4955be7... by Liam Young

Vault version in snap store may not start with 'v'

The nagios check that checks the snap store version matches the
deployed assumes that the version info in the snap store starts
a 'v'. If it doesn't it return None. This fixes that.

Change-Id: I89f56866c78b286e7d07b43432d56aa41a0c2eb9
(cherry picked from commit e0030882773aaa18078d8dc1d1eab122ebafcd2f)

b0fb406... by David Ames

Updates for stable branch creation

Set default branch for git review/gerrit.

Switch amulet tests to stable.

Switch to using stable charm-helpers branch.

Change-Id: I1268a78585744305639b0638661ba784c00fe689

ebb0334... by Liam Young

Add support for tls-certificates interface

To use the tls-certificates interface clients relate to the vault
charm. If the charms CA is not ready yet the charm will not update
the relation data. To prepare the CA an operator needs to run the
get_csr action to retrieve the csr for the intermediate ca the charm
has prepared. The operator should sign the csr with the root CA and
then upload the root CA cert and signed csr to the vault charm via
the upload-signed-csr action. Running this action will trigger the
vault charm to process any outstanding certificate requests and to
update the relation data accordingly.

The update includes:

* New action get_csr to retrieve a csr for the intermediate ca for
  the charm pki
* New action upload-signed-csr to upload a signed intermediate csr
* Charm now provides tls-certificates interface
* Update vault access acl to allow charm full access to charm-pki-*.
  Currently the only pki mount point the charm uses is
* Various generic helpers to lib.charm.vault
* New module lib.charm.vault_pki which handles interactions between
  the charm and the vault pki api
* Add handler to reactive.vault_handlers for reacting to certificate

Depends-On: I6222e5eb9c8a0a5f079ecc2e5e5c97abc1c39515
Change-Id: I1681b9f2defcfbf7c06ede83c88c507dcf92a7ce

9c78a51... by Zuul <email address hidden>

Merge "Use secret_id's with vault-kv relation"

ea1910f... by James Page

Disable mlock when running in containers

Its not possible to use mlock when running vault inside a
container; automatically disable vault mlock when this is

mlock status is now always reflected in juju status output
for full transparency.

Change-Id: I57cf1d19e2783ec41e2d37cb4300a55828212cc3

30a3a2f... by James Page

auto-unlock: Use correct key for root token

Align retrieval name for auto-unlocked root token with consuming
code, fixing issues with auto-unlock mode.

Store local charm access approle id for subsequent charm use.

Change-Id: Ie50a46db2f6a5f7a5a181372743e1c03d7868778

dbbf4d9... by James Page

auto-unlock: make things clear about security

Rename auto-unlock configuration option to make things clear to
CLI users that this really is a totally unsecure deployment

Change-Id: I47726c65698bea1c35766d5c3ef16befad8ec72d

3b0e793... by James Page

Use secret_id's with vault-kv relation

In order to tighten the security around access to secrets stored
in a Vault KV secrets backend, generate a secret_id for each
accessing unit, using a response wrapping token which is passed
over the relation to the consuming application.

The consuming application will then use this token out-of-band of
Juju to retrieve the secret_id associated with the AppRole ID
directly from Vault.

Add a new action 'refresh-secrets' to force a renewal of secret_id's
and associated one-shot retrieval tokens across a deployment.

A token is only issued when a new approle is created or when
a refresh is initiated via the 'refresh-secrets' action.

Change-Id: I2cd173514377d65542ea4fa67ccf700ea4b6ab89