Managing Vault
==============

This feature is used to encrypt all cloud service endpoints (both public
and private) using TLS certificates generated by Vault, which acts as an intermediary CA.
It does this by interfacing with the existing Traefik instances in the
cloud. A Traefik instance is associated with either public or private
cloud traffic.

Prerequisites
-------------

To use TLS Vault, you must enable the Vault feature in your cloud and unseal and authorize the Vault charm.
Follow this guide :doc:`Enable Vault </how-to/features/vault>`.

Enable TLS Vault
----------------

To enable TLS Vault, you’ll need to provide information that identifies your
chosen Certificate Authority. Do this by specifying a CA certificate and
its CA certificate chain.

Run the following command to enable TLS Vault for public endpoints:

::

   sunbeam enable tls vault --ca <base64 encoded ca certificate> --ca-chain <base64 encoded ca chain>

To enable TLS Vault for public, internal and rgw endpoints, be explicit by
using the ``--endpoint`` option:

::

   sunbeam enable tls vault --ca <base64 encoded ca certificate> --ca-chain <base64 encoded ca chain> --endpoint public --endpoint internal --endpoint rgw

Use TLS Vault
-------------

TLS certificates must now be provided to the Vault unit. This is
covered on the :doc:`Implement TLS using a third-party CA
</how-to/features/managing-tls/implement-tls-using-a-third-party-ca>` page.

Disable TLS Vault
-----------------

To disable TLS Vault in the cloud, run the following command:

::

   sunbeam disable tls vault

This command removes the `manual-tls-certificates` charm and removes Vault from being the intermediary certificate authority, as well as, clear the `external hostnames` on the corresponding Traefik endpoints. All services will work as if TLS was never enabled.