feat: Vault autounseal

[DanielArndt]

Adds the vault-autounseal interface to the vault-k8s charm which allows any vault-k8s app to integrate with any other app that supports the vault-autounseal interface (just vault-k8s, for now). This enables autounseal for the requirer side of the relation.

Caveats / Consequences

The biggest thing to note here, and we can discuss further if necessary, is that there is no way to migrate from autounseal back to manual unseal in this implementation.

• Manual unseal -> Auto unseal works as expected
• Auto unseal -> Manual unseal works only if you didn't run the command to migrate to auto-unseal. i.e. you integrated the two apps, but maybe you made a mistake so you remove the relation without running vault unseal -migrate ...

The reason this wasn't straightforward to implement is because to remove auto-unseal, you need to

1. Add a disabled = true key-value to the transit stanza
2. Reboot vault
3. Run the vault unseal -migrate commands
4. (optional): remove the transit stanza

In order to implement this we would need to create a new action that stores some state in the charm so that it knows to keep the disabled = true key-value in the config. We can't do this after the relation is removed, and we can't do this while the relation is being removed (because we would need to stop and wait for the user to do something).

For now, we keep the auto-unseal key so that it could theoretically be restored, although there is no process to do this yet.

Usage / Testing

Deploy two vaults:

juju deploy ./vault-k8s_ubuntu-22.04-amd64.charm vault-a --trust -n 1 --resource=vault-image=ghcr.io/canonical/vault:1.15.6
juju deploy ./vault-k8s_ubuntu-22.04-amd64.charm vault-b --trust -n 1 --resource=vault-image=ghcr.io/canonical/vault:1.15.6

Initialize and unseal one of the vaults

vault_app_ip=...
VAULT_ADDR="https://${vault_app_ip}:8200"
export VAULT_ADDR
vault operator init | tee vault-a-init.txt
export VAULT_TOKEN=$(awk '/Root Token/ { print $4}' vault-a-init.txt)
head vault-a-init.txt -n3 | cut -d' ' -f 4 | xargs -L1 vault operator unseal

Authorize the Vault charm

juju run vault-a/leader authorize-charm token="$(awk '/Root Token/ { print $4}' vault-a-init.txt)"

Integrate the two vaults

juju integrate vault-a:vault-autounseal-provides vault-b:vault-autounseal-requires

Initialize vault-b

vault_app_ip=...
VAULT_ADDR="https://${vault_app_ip}:8200"
export VAULT_ADDR
vault operator init | tee vault-b-init.txt

Scale vault-b and watch it autounseal

juju scale-application vault-b 2

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that validate the behaviour of the software
• I validated that new and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[gruyaume]

This is a preliminary review. Overall I think this looks good, I got some questions/concerns around the token renewal and expiry process, the fact that we ask users to unseal their Vault B plus a couple of nits around typing and docstrings.

[gruyaume]

Do those helpers belong in this lib?

[DanielArndt]

I guess the alternative would be to make the charm pass in the name of each of them (key name, policy name, approle name)? I felt like this kept the interface a little cleaner, and since it is an internal lib, we're not beholden to it.

Do you think it makes more sense to pass each one of these in as a parameter?

[gruyaume]

I don't have a strong opinion on this, like you said, this is only be used by the charms so it's not so bad if it's charm specific.

[kayra1]

I think this belongs in the autounseal library. KV also has its own format for approles, and it doesn't make sense to have both of them here when it's just KV and autounseal that will be using these functions.

We should put functions that are expected to be used by more than 1 dependent in this lib IMO.

[gruyaume]

I don't have a strong opinion on this, like you said, this is only be used by the charms so it's not so bad if it's charm specific.

[gruyaume]

Why aren't we using a file/template like we do for the other hcl content?

[DanielArndt]

Hmm, somehow I got in my head this is how we dealt with the dynamic policies and I was just trying to be consistent. I can see now that isn't the case. Weird. Brain glitch. I'll fix.

[gruyaume]

Why have this outside of the render_vault_config_file? If we do this for the transit stanza, why not for the other stanzas? Wouldn't it be cleaner to have 1 approach to managing this file?

[DanielArndt]

You're right, it probably does belong there.

[gruyaume]

Are there cases where we won't have a ca cert for this?

[gruyaume]

Return typing is missing

[gruyaume]

VaultAutounsealDestroy is probably not a great event name, what happened is not that vault autounseal was destroyed, what happened is that the relation to the vault autounseal requirer was broken.

Now what the Vault autounseal provider does when this event occurs is someting else.

[kayra1]

I like this as a guide to naming these things: https://juju.is/docs/juju/removing-things#heading--removal-terms

[gruyaume]

Following the conversation about docstrings, there are likely a couple of them that could be improved and others that could be removed.

[kayra1]

I'm not fully onboard with the way these changes are structured, and I've made the comments below, but I also think this is a very comprehensive change that is hard to get perfect so I'm ok with not requesting changes and iteratively improving it in the future.

[kayra1]

functions like this don't really make sense to have in a client library imo. It could make sense in the context of autounseal, but for someone reading this library, it just looks like extra words for str()

[kayra1]

We now have both _configure_autounseal_policy and _configure_policy.
We should either have a generic function called _configure_policy that every consumer customizes for itself in its own file, or 3 functions called:

• _configure_autounseal_policy,
• _configure_charm_policy
• _configure_kv_policy,
  but not both.

[kayra1]

functions that do something to the client make sense to have in this file, but the naming doesn't make sense to me.

The function name is create_autounseal_key, but the function itself is creating a transit key. As far as vault is concerned, the autounseal function isn't even mentioned in the transit secrets engine page.

To me, this is not good separation of concerns.

What I would prefer is to name this function create_transit_key, and in the autounseal library a function called create_unseal_key that gets the autounseal key name and calls create_transit_key.

[kayra1]

with the changes I suggested above, this function could be moved to the autounseal library, and each of the direct _client calls here should be a public function from vault_client.

This applies to most functions with autounseal in their names.

[saltiyazan]

I feel like this function is doing a bit more than just adding new config options to the config content it receives, it basically is doing all the configuration that is needed for the autounseal requirer, for example pushing the CA cert and authenticating agains the provider vault.

[saltiyazan]

Why is the restart needed?

[saltiyazan]

I mean why this does, but a change in the config file not related to the transit stanza doesn't?