Managing Vault¶
This feature is used to encrypt all cloud service endpoints (both public and private) using TLS certificates generated by Vault, which acts as an intermediary CA. It does this by interfacing with the existing Traefik instances in the cloud. A Traefik instance is associated with either public or private cloud traffic.
Prerequisites¶
To use TLS Vault, you must enable the Vault feature in your cloud and unseal and authorize the Vault charm. Follow this guide Enable Vault.
Enable TLS Vault¶
To enable TLS Vault, you’ll need to provide information that identifies your chosen Certificate Authority. Do this by specifying a CA certificate and its CA certificate chain.
Run the following command to enable TLS Vault for public endpoints:
sunbeam enable tls vault --ca <base64 encoded ca certificate> --ca-chain <base64 encoded ca chain>
To enable TLS Vault for public, internal and rgw endpoints, be explicit by
using the --endpoint option:
sunbeam enable tls vault --ca <base64 encoded ca certificate> --ca-chain <base64 encoded ca chain> --endpoint public --endpoint internal --endpoint rgw
Use TLS Vault¶
TLS certificates must now be provided to the Vault unit. This is covered on the Implement TLS using a third-party CA page.
Disable TLS Vault¶
To disable TLS Vault in the cloud, run the following command:
sunbeam disable tls vault
This command removes the manual-tls-certificates charm and removes Vault from being the intermediary certificate authority, as well as, clear the external hostnames on the corresponding Traefik endpoints. All services will work as if TLS was never enabled.