Request classic confinement for un-seal

pgdg99 · December 1, 2025, 5:31pm

name: un-seal
description: un-seal is a Juju helper Snap designed to automate the initialization, unsealing, and authorization of Vault applications deployed via Juju. Deploying a charmed Vault with Juju requires a specific sequence of operations to bootstrap the cluster: initializing the Vault operator, securely managing the generated unseal keys and root token, unsealing individual units, and authorizing the charm to interact with the Vault API. un-seal streamlines this workflow into a single interactive command. It is designed for security-conscious environments, supporting split-file credential storage and GPG encryption (compatible with hardware tokens such as YubiKey) to facilitate the whole process.
snapcraft: snapcraft.yaml
upstream: GitHub Repo for un-seal
upstream-relation: upstream maintainer - author
supported-category: juju helpers
reasoning: Access to Juju requires classic confinement

I understand that strict confinement is generally preferred over classic.

I’ve tried the existing interfaces to make the snap to work under strict confinement.

store-requests-bot · December 1, 2025, 6:00pm

This request has been added to the queue for review by the @reviewers team.

yomonokio · January 5, 2026, 11:07am

Even if it doesn’t fall under a known category, the snap seems like a good candidate for classic confinement, to me. What do other @reviewers think?

jslarraz · January 14, 2026, 9:15am

Hey @pgdg99

Given that juju itself uses classic confinement, the technical reasons are clear and it perfectly fits in a supported category.

However, classic confinement is a sensitive matter. I think it is very fresh and should not be considered for classic confinement as a personal project. If at some point this project becomes part of your team strategy and your team is willing to actively maintain it we can reconsider this request

Thanks for your understanding

pgdg99 · January 14, 2026, 5:09pm

Hi @jslarraz thanks for the answer,

I managed to make it work as a strict confinement snap, although it still requires some privileged interfaces:

snap connect un-seal:juju-bin juju:juju-bin
snap connect un-seal:dot-local-share-juju
snap connect un-seal:gpg-keys
snap connect un-seal:pcscd

I was wondering if there’s any possibility of allowing auto-connections for these, or at least doing the manual review so it can be published (I have already submitted the latest version) and leaving them manual.

I did the forum request: Automatic connection request for un-seal