add ssl client configs; adjust startup to make certs first

G-Research · Oct 15, 2024 · 99e14c3 · 99e14c3
1 parent 911d27e
commit 99e14c3
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 3 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -20,7 +20,7 @@
 	"forwardPorts": [3000, 5432, 8200],
 
 	// Use 'postCreateCommand' to run commands after the container is created.
-	"postCreateCommand": "bundle install && rake db:setup && rake configure:ssl",
+	"postCreateCommand": "bundle install && rake configure:ssl && rake db:setup",
 
 	// Configure tool-specific properties.
 	// "customizations": {},

diff --git a/app/lib/clients/vault.rb b/app/lib/clients/vault.rb
@@ -15,7 +15,9 @@ def client
         ::Vault::Client.new(
           address: address,
           token: token,
-          ssl_ca_cert: ssl_cert
+          ssl_ca_cert: ssl_cert,
+          ssl_pem_file: ssl_client_cert,
+          ssl_key_file: ssl_client_key
         )
       end
 
@@ -27,6 +29,14 @@ def ssl_cert
         Config[:vault_ssl_cert]
       end
 
+      def ssl_client_cert
+        Config[:vault_ssl_client_cert]
+      end
+
+      def ssl_client_key
+        Config[:vault_ssl_client_key]
+      end
+
       def enable_engine(mount, type)
         client.sys.mount(mount, type, "#{type} secrets engine")
       end

diff --git a/config/astral.yml b/config/astral.yml
@@ -4,8 +4,11 @@ shared:
   vault_token:
   vault_addr:
   # if VAULT_ADDR is https with self-signed cert, need to provide
-  # path on disk to CA cert here
+  # CA cert (path to file)
   vault_ssl_cert:
+  # Vault client cert if required (path to file)
+  vault_ssl_client_cert:
+  vault_ssl_client_key:
 
   # Vault PKI configuration -- create root CA when true, or reference an existing
   vault_create_root: true