From 99e14c3bf1e115532cd8fd291db5d0a5fc2580c2 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 15 Oct 2024 15:38:13 -0400
Subject: [PATCH] add ssl client configs; adjust startup to make certs first

---
 .devcontainer/devcontainer.json |  2 +-
 app/lib/clients/vault.rb        | 12 +++++++++++-
 config/astral.yml               |  5 ++++-
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index f76ca12..32783cd 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -20,7 +20,7 @@
 	"forwardPorts": [3000, 5432, 8200],
 
 	// Use 'postCreateCommand' to run commands after the container is created.
-	"postCreateCommand": "bundle install && rake db:setup && rake configure:ssl",
+	"postCreateCommand": "bundle install && rake configure:ssl && rake db:setup",
 
 	// Configure tool-specific properties.
 	// "customizations": {},
diff --git a/app/lib/clients/vault.rb b/app/lib/clients/vault.rb
index 8e34749..10ec7d9 100644
--- a/app/lib/clients/vault.rb
+++ b/app/lib/clients/vault.rb
@@ -15,7 +15,9 @@ def client
         ::Vault::Client.new(
           address: address,
           token: token,
-          ssl_ca_cert: ssl_cert
+          ssl_ca_cert: ssl_cert,
+          ssl_pem_file: ssl_client_cert,
+          ssl_key_file: ssl_client_key
         )
       end
 
@@ -27,6 +29,14 @@ def ssl_cert
         Config[:vault_ssl_cert]
       end
 
+      def ssl_client_cert
+        Config[:vault_ssl_client_cert]
+      end
+
+      def ssl_client_key
+        Config[:vault_ssl_client_key]
+      end
+
       def enable_engine(mount, type)
         client.sys.mount(mount, type, "#{type} secrets engine")
       end
diff --git a/config/astral.yml b/config/astral.yml
index 96b89dc..b64806a 100644
--- a/config/astral.yml
+++ b/config/astral.yml
@@ -4,8 +4,11 @@ shared:
   vault_token:
   vault_addr:
   # if VAULT_ADDR is https with self-signed cert, need to provide
-  # path on disk to CA cert here
+  # CA cert (path to file)
   vault_ssl_cert:
+  # Vault client cert if required (path to file)
+  vault_ssl_client_cert:
+  vault_ssl_client_key:
 
   # Vault PKI configuration -- create root CA when true, or reference an existing
   vault_create_root: true