Skip to content

Commit

Permalink
fix: update mount related information
Browse files Browse the repository at this point in the history
Vault documentation refers to kv_mountpoint as `mounts`, let's reflect
that in the relation data.

A `mount` shall respect the following pattern:
charm-<requirer app>-<user provided suffix>
  • Loading branch information
gboutry committed Aug 23, 2023
1 parent 7f28925 commit bb21a09
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 17 deletions.
8 changes: 4 additions & 4 deletions docs/json_schemas/vault_kv/v0/provider.json
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,9 @@
"description": "The URL of the Vault server to connect to.",
"type": "string"
},
"kv_mountpoint": {
"title": "Kv Mountpoint",
"description": "The mountpoint of the KV store to use.",
"mount": {
"title": "Mount",
"description": "The KV mount available for the requirer application, respecting the pattern 'charm-<requirer app>-<user provided suffix>'.",
"type": "string"
},
"credentials": {
Expand All @@ -73,7 +73,7 @@
},
"required": [
"vault_url",
"kv_mountpoint",
"mount",
"credentials"
]
}
Expand Down
6 changes: 3 additions & 3 deletions docs/json_schemas/vault_kv/v0/requirer.json
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@
"title": "AppVaultKvProviderSchema",
"type": "object",
"properties": {
"secret_backend": {
"title": "Secret Backend",
"default": "The name of the secret backend to use.",
"mount_suffix": {
"title": "Mount Suffix",
"default": "Suffix to append to the mount name to get the KV mount.",
"type": "string"
}
}
Expand Down
14 changes: 6 additions & 8 deletions interfaces/vault_kv/v0/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ Some charms require a secure key value store. This relation interface describes

```mermaid
flowchart TD
Requirer -- secret_backend, egress_subnet --> Provider
Provider -- vault_url, kv_mountpoint, credentials --> Requirer
Requirer -- mount_suffix, egress_subnet --> Provider
Provider -- vault_url, mount, credentials --> Requirer
```

## Behavior
Expand All @@ -21,20 +21,18 @@ Both the Requirer and the Provider need to adhere to criteria to be considered c
Provider expectations

- Must provide the vault url
- Must provide a key value mountpoint
- Must provide a key value mount, the mount name shall respect the following pattern: charm-<requirer app>-<user provided suffix>
- Must provide a role_id and role_secret_id for each unit, with access protected by unit's egress_subnet

### Requirer

Requirer expectations

- Must provide a secret backend name, which must start with "charm-"
- Must provide a mount suffix
- Must provide an egress subnet for each unit used to protect access to the secret backend

## Relation Data

Describe the contents of the databags, and provide schemas for them.

[\[Pydantic Schema\]](./schema.py)

#### Example
Expand All @@ -43,7 +41,7 @@ Describe the contents of the databags, and provide schemas for them.
provider:
app:
vault_url: http://10.152.183.104:8200
kv_mountpoint: charm-barbican
mount: charm-barbican-secrets
credentials: |
{
"barbican-0": {
Expand All @@ -58,7 +56,7 @@ provider:
unit: {}
requirer:
app:
secret_backend: charm-barbican
mount_suffix: secrets
unit:
barbican-0:
egress_subnet: 10.1.166.206/32
Expand Down
9 changes: 7 additions & 2 deletions interfaces/vault_kv/v0/schema.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,19 @@ class CredentialsSchema(BaseModel):

class VaultKvProviderSchema(BaseModel):
vault_url: str = Field(description="The URL of the Vault server to connect to.")
kv_mountpoint: str = Field(description="The mountpoint of the KV store to use.")
mount: str = Field(
description=(
"The KV mount available for the requirer application, "
"respecting the pattern 'charm-<requirer app>-<user provided suffix>'."
)
)
credentials: Json[CredentialsSchema] = Field(
description="The credentials to use to authenticate to Vault."
)


class AppVaultKvProviderSchema(BaseModel):
secret_backend: str = Field("The name of the secret backend to use.")
mount_suffix: str = Field("Suffix to append to the mount name to get the KV mount.")


class UnitVaultKvRequirerSchema(BaseModel):
Expand Down

0 comments on commit bb21a09

Please sign in to comment.