From e858898a539851ba627720ea1a63ff34802b849d Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 8 Oct 2024 22:26:23 -0400
Subject: [PATCH 01/13] added support for configuring self-signed server cert
 for vault

---
 README.md                |  8 ++++++++
 app/lib/clients/vault.rb |  7 ++++++-
 config/astral.yml        | 13 ++++++++++---
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 26177f6..644f320 100644
--- a/README.md
+++ b/README.md
@@ -61,3 +61,11 @@ docker build -t astral:latest .
 ```
 docker run -p 3000:3000 astral:latest
 ```
+
+# Configuration
+Astral is configured in `config/astral.yml` -- all availble
+configuration options are all listed there. Note that configuration
+values can be supplied in this file or as environment variables with
+the same names (but UPPER_CASE). Environment vars will override any
+values here. Per-environment settings (development, test, production)
+will override the shared values.
diff --git a/app/lib/clients/vault.rb b/app/lib/clients/vault.rb
index 5f0c5e0..8e34749 100644
--- a/app/lib/clients/vault.rb
+++ b/app/lib/clients/vault.rb
@@ -14,7 +14,8 @@ class << self
       def client
         ::Vault::Client.new(
           address: address,
-          token: token
+          token: token,
+          ssl_ca_cert: ssl_cert
         )
       end
 
@@ -22,6 +23,10 @@ def address
         Config[:vault_addr]
       end
 
+      def ssl_cert
+        Config[:vault_ssl_cert]
+      end
+
       def enable_engine(mount, type)
         client.sys.mount(mount, type, "#{type} secrets engine")
       end
diff --git a/config/astral.yml b/config/astral.yml
index a574607..57e9b97 100644
--- a/config/astral.yml
+++ b/config/astral.yml
@@ -1,21 +1,28 @@
+# Astral configuration
+# Note that values can be supplied here or as environment vars (UPPER_CASE)
 shared:
-  vault_addr: 
   vault_token:
+  vault_addr:
+  # if VAULT_ADDR is https with self-signed cert, need to provide
+  # path on disk to cert here
+  vault_ssl_cert:
 
-  # Pre-existing root CA, or create new if requested
+  # Vault PKI configuration -- create root CA or reference an existing
   vault_create_root: true
   vault_root_ca_ref: root_ca
   vault_root_ca_mount: pki_root
+  cert_ttl:
 
   jwt_signing_key:
-  cert_ttl:
 
+  # When using AppRegistry for Domain Ownership information
   app_registry_addr:
   app_registry_token:
   app_registry_ca_file:
   app_registry_client_cert:
   app_registry_client_key:
 
+  # User activity logging
   audit_log_file: <%= "#{Rails.root.join('log')}/astral-audit.log" %>
 
 test:

From d0b8d51311e7e358d8cb9561163dfbdb1cc9d061 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 15 Oct 2024 14:54:51 -0400
Subject: [PATCH 02/13] generate ssl certs on devcontainer startup and make
 available to vault

---
 .devcontainer/devcontainer.json  |  2 +-
 .devcontainer/docker-compose.yml | 23 ++++++++++++++++++++---
 cert/.keep                       |  0
 config/astral.yml                |  7 ++++---
 lib/tasks/configure.rake         | 17 +++++++++++++++++
 lib/tasks/redoc.rake             |  4 ++--
 6 files changed, 44 insertions(+), 9 deletions(-)
 create mode 100644 cert/.keep
 create mode 100644 lib/tasks/configure.rake

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 32d22d1..f76ca12 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -20,7 +20,7 @@
 	"forwardPorts": [3000, 5432, 8200],
 
 	// Use 'postCreateCommand' to run commands after the container is created.
-	"postCreateCommand": "bundle install && rake db:setup",
+	"postCreateCommand": "bundle install && rake db:setup && rake configure:ssl",
 
 	// Configure tool-specific properties.
 	// "customizations": {},
diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
index dcafb8a..df003fa 100644
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -12,11 +12,12 @@ services:
     # Overrides default command so things don't shut down after the process ends.
     command: sleep infinity
     environment:
-      VAULT_ADDR: http://vault:8200
+      VAULT_ADDR: https://vault:8200
       VAULT_TOKEN: root_token
       VAULT_CREATE_ROOT: true
       VAULT_ROOT_CA_MOUNT: pki
       VAULT_ROOT_CA_REF: root-ca
+      VAULT_SSL_CERT: cert/vault.pem
       JWT_SIGNING_KEY: jwt_secret
       APP_REGISTRY_ADDR: http://app_registry:8800
       APP_REGISTRY_TOKEN: app_reg_token
@@ -25,10 +26,26 @@ services:
     image: hashicorp/vault:latest
     restart: unless-stopped
     ports:
-      - 8200:8200
+      - 8200:8443
+    volumes:
+      - ../cert:/vault/cert
     environment:
       VAULT_DEV_ROOT_TOKEN_ID: root_token
-      VAULT_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
+      VAULT_LOCAL_CONFIG: >
+        {
+            "listener": [
+                {
+                    "tcp": {
+                        "address": "0.0.0.0:8443",
+                        "tls_disable": "0",
+                        "tls_cert_file": "/vault/cert/vault.pem",
+                        "tls_key_file": "/vault/cert/vault.key"
+                    }
+                }
+            ],
+            "default_lease_ttl": "168h",
+            "max_lease_ttl": "720h"
+        }
 
   app_registry:
     image: node:latest
diff --git a/cert/.keep b/cert/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/config/astral.yml b/config/astral.yml
index 57e9b97..96b89dc 100644
--- a/config/astral.yml
+++ b/config/astral.yml
@@ -1,13 +1,13 @@
 # Astral configuration
-# Note that values can be supplied here or as environment vars (UPPER_CASE)
+# Note that values can be supplied here or as environment vars (UPPER_CASE).
 shared:
   vault_token:
   vault_addr:
   # if VAULT_ADDR is https with self-signed cert, need to provide
-  # path on disk to cert here
+  # path on disk to CA cert here
   vault_ssl_cert:
 
-  # Vault PKI configuration -- create root CA or reference an existing
+  # Vault PKI configuration -- create root CA when true, or reference an existing
   vault_create_root: true
   vault_root_ca_ref: root_ca
   vault_root_ca_mount: pki_root
@@ -25,6 +25,7 @@ shared:
   # User activity logging
   audit_log_file: <%= "#{Rails.root.join('log')}/astral-audit.log" %>
 
+# Per-environment overrides of shared configs
 test:
   cert_ttl: <%= 24.hours.in_seconds %>
 
diff --git a/lib/tasks/configure.rake b/lib/tasks/configure.rake
new file mode 100644
index 0000000..80ad985
--- /dev/null
+++ b/lib/tasks/configure.rake
@@ -0,0 +1,17 @@
+require "rake"
+
+# Rake tasks for making a vault cert
+namespace :configure do
+  desc "Make the server cert for vault"
+  task :ssl do
+    %x(
+      openssl req -new -newkey rsa:4096 -nodes \
+        -keyout cert/vault.key -out cert/vault.csr \
+        -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=vault"
+      openssl x509 -req -days 365 -in cert/vault.csr \
+        -signkey cert/vault.key \
+        -out cert/vault.pem
+    )
+    puts "SSL key for vault created"
+  end
+end
diff --git a/lib/tasks/redoc.rake b/lib/tasks/redoc.rake
index 8810fa6..0452fc6 100644
--- a/lib/tasks/redoc.rake
+++ b/lib/tasks/redoc.rake
@@ -6,8 +6,8 @@ namespace :redoc do
   task :bundle do
     %x(
       docker run -v /workspaces/astral/doc/openapi:/data -w /data \
-      redocly/cli bundle openapi.yml \
-      --output openapi-bundled.yml
+        redocly/cli bundle openapi.yml \
+        --output openapi-bundled.yml
     )
     puts "openapi.yml and references bundled to openapi-bundled.yml"
   end

From a8f27022ab5f7b96647c7d9580571b15177ddbb6 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 15 Oct 2024 14:58:32 -0400
Subject: [PATCH 03/13] clarify config readme

---
 README.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 644f320..75c0743 100644
--- a/README.md
+++ b/README.md
@@ -64,8 +64,9 @@ docker run -p 3000:3000 astral:latest
 
 # Configuration
 Astral is configured in `config/astral.yml` -- all availble
-configuration options are all listed there. Note that configuration
-values can be supplied in this file or as environment variables with
-the same names (but UPPER_CASE). Environment vars will override any
-values here. Per-environment settings (development, test, production)
-will override the shared values.
+configuration options are listed there in the `shared` section. Note
+that configuration values can be supplied in this file or as
+environment variables with the same names (but
+UPPER_CASE). Environment vars will override any values
+here. Per-environment settings (development, test, production) will
+override the shared values but not the environment.

From e03f93c872a961a5c9217dedb3255ad0f217e0f7 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 15 Oct 2024 15:20:08 -0400
Subject: [PATCH 04/13] Add some initial certs

---
 cert/vault.csr | 27 +++++++++++++++++++++++++++
 cert/vault.pem | 30 ++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 cert/vault.csr
 create mode 100644 cert/vault.pem

diff --git a/cert/vault.csr b/cert/vault.csr
new file mode 100644
index 0000000..3b882f7
--- /dev/null
+++ b/cert/vault.csr
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIElzCCAn8CAQAwUjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRlbmlhbDEUMBIG
+A1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEOMAwGA1UEAwwFdmF1bHQw
+ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4GT1p/wZyxvMsZ/N7g6Hb
+SNqTCA6W+JbPryhy2YjVwdH+JwYQGy4GbXYxbKZp5ZXAf5/9/y6j8BnsHrxv5pvC
+Ob08aArhQE6ht0NTqaIYsSf/7TeW1e+da5ikLbrcFUcXVzKWtZPcbz4Y42G1AS9T
+Lyyw01y6LUGK5WWy3ztD/8fyYVImG7q+8JGYKJpxI0fsLaEpDvHq5ZpOPMJqT0tb
+aWwK8CtDcLEjv1bxmXUpD6c8FzffRwuy1SM6USMyAFFLdIVizjgekhRJPOQTeO8N
+yR8O3ViT4Eq+ED051qk+oT99xvfHLOLk7BFMVYK3bYMmaOHlb9g060Og32lFbcuD
+gGaGI2d+0cQrWemQiWjEMi55dIqXDmGiA3o18r7s0bEt7lPKFBqjrRfPh9/+Eqqp
+YkWjp623vOW+vHPgxUNcyGMXl/nZTcvhpJLOgBkjQnq7dSpV3LzrGNN3mJFpKxQy
+e7rccbZPa82ln5Y6+g97H/oy1FNkzNcI+Fv3BOCSQOoM9uPB6NP5b3seJC8GW1eh
+LV/byfuwXSJJYo7csNiem90UTRR7ZDzjE8clbzATR0d+qJTf0idA5xDKU+JwxqzW
++ktBZwwS2t+A1QaHj7frJt0FuN1Us+bX6GcJ6X+JJsjxEp+WbKIncgQVk6mcbVJm
+T6a4LyiFCN9oeDnkLM6L/wIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAGU4/K0+
+d85R/Y1ov3MJTmpOC0fGJ8/H7U/MIk0qlSfqzRMYIjHHFRqslMzGaRZG/XZN4grj
+FvceoYBTH2NUip4HF+PRwxkUlwAFFea/h2noT5Ca0X00roHCf/uhJYY5OGxS5TD6
+CkP6nbCpD9oVDePlLehMuvNtJBt50QQsBUyK3FCXTsunNSVrMdVQ6zlyJVo0limQ
++eQy4u/bvG0BzsIj6+HnvMTxC1gQCOsfieiJyrF51EbGZJUms89k8Oli9mgJxdaC
+6sh/s+FfF0m0tp449Qv/mAy57Z5EC6SUBuAICYd/bSHXWuzAi/9jTJeyTbNpN0F8
+615CWN+sIuiGG9JLdCCbJE/WxGAa4/3Ry1gtYrcrSz+i1NXT422RZfxTASLl9fT6
+NlUu2DN3UQQmbxG8ujzKdZ2o746vovFWGtECh6oj0dZ2vhKAKDgIlT2ZOaZzp4mk
+b7tpfXBhUsVVG2rIhHXh7HAa9YDFGNufZ+p+b2GI+i5ll6+XUsXSM0SGnM+E1VLh
+wnz3krI1tFTNBUu3+n9UbQhBgCWt4bj2Ax0LCgd6sHClcHa0q07FlRVIa/edXu/p
+Xt2yr1xhdsK0ss9kRyXg2AMHVTs0ES8rKxcvAmdbic4ygg7MfRhnT/B4HFSKKyoU
+JCy4FPyt1+iqfDzjtS74h261lVm6bHnW+7bI
+-----END CERTIFICATE REQUEST-----
diff --git a/cert/vault.pem b/cert/vault.pem
new file mode 100644
index 0000000..b7c6371
--- /dev/null
+++ b/cert/vault.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFKzCCAxMCFDxrZQdK60TK6QxY01Y0QdRFrbdpMA0GCSqGSIb3DQEBCwUAMFIx
+CzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2Zp
+ZWxkMQwwCgYDVQQKDANEaXMxDjAMBgNVBAMMBXZhdWx0MB4XDTI0MTAxNTE4NTk1
+N1oXDTI1MTAxNTE4NTk1N1owUjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRlbmlh
+bDEUMBIGA1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEOMAwGA1UEAwwF
+dmF1bHQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4GT1p/wZyxvMs
+Z/N7g6HbSNqTCA6W+JbPryhy2YjVwdH+JwYQGy4GbXYxbKZp5ZXAf5/9/y6j8Bns
+Hrxv5pvCOb08aArhQE6ht0NTqaIYsSf/7TeW1e+da5ikLbrcFUcXVzKWtZPcbz4Y
+42G1AS9TLyyw01y6LUGK5WWy3ztD/8fyYVImG7q+8JGYKJpxI0fsLaEpDvHq5ZpO
+PMJqT0tbaWwK8CtDcLEjv1bxmXUpD6c8FzffRwuy1SM6USMyAFFLdIVizjgekhRJ
+POQTeO8NyR8O3ViT4Eq+ED051qk+oT99xvfHLOLk7BFMVYK3bYMmaOHlb9g060Og
+32lFbcuDgGaGI2d+0cQrWemQiWjEMi55dIqXDmGiA3o18r7s0bEt7lPKFBqjrRfP
+h9/+EqqpYkWjp623vOW+vHPgxUNcyGMXl/nZTcvhpJLOgBkjQnq7dSpV3LzrGNN3
+mJFpKxQye7rccbZPa82ln5Y6+g97H/oy1FNkzNcI+Fv3BOCSQOoM9uPB6NP5b3se
+JC8GW1ehLV/byfuwXSJJYo7csNiem90UTRR7ZDzjE8clbzATR0d+qJTf0idA5xDK
+U+JwxqzW+ktBZwwS2t+A1QaHj7frJt0FuN1Us+bX6GcJ6X+JJsjxEp+WbKIncgQV
+k6mcbVJmT6a4LyiFCN9oeDnkLM6L/wIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQBi
+hcNthicAeN726BwOSt87q7T/MLJp543CtGcL8m0Z5N6ZlQhCdS3/aPKHXtksbtyY
+3oXcMcXaROPkYDOn6F5bNmsLpkC6v/lZpN7yxFbNN2QZ9kqDquRoyIg9EQmOazIl
+daahg7UoI3n2u/Rb5AJ0MmsfiKx2ybFTNwdI1Pg84Tp5k/VuvQ33bCxErIXjaaE0
+60w7xUkus2WbrMTLgJOS+GdVIa+RmJVivK5c+ejJcE81bGEVuCnCxvPy7aIcwKy4
+BGYxsVDW/9/rlm+z92KKcnvWFIxxlU+FTeXeOoIXAyRydOn9Eh7Is8Y6LoWf7U5S
+n2uxMsjJ2kf08/2FcYjkPfgQm3PYKUS+xOBOE9ykT4t84v32c6sVvGMWMeHMJfMZ
+CPF/Ok9CzvqWaMcVzLOeCQT4AAAT1yyNN0WaTMlx8UZthB/axR1uR5xcs/4VsVfq
+K0ToIh9dmH4LLr5GB+RPLXLdoyS9JneMekkJHqq7PngcJztuhmq6EESVgdaEiQC4
+HgMaWV9SLku7OxFa050qiCZGDvJU5emNkizWIkm91f3sXliLF9sl5BSnr/4UtlnA
+ExU8iaglghbA0wfyGfXIUYtENGLh6b7PVOvT0eirSLgAvHijdCL0tiwssfl8a4W/
+sYs2JyeEa3Dpf7qU6uHbg8TWEfZsulezprneVmgG4Q==
+-----END CERTIFICATE-----

From d5577b9fdd120944af8685f959db23f51d77421b Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 15 Oct 2024 15:22:30 -0400
Subject: [PATCH 05/13] tweak readme

---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 75c0743..35d78b8 100644
--- a/README.md
+++ b/README.md
@@ -64,9 +64,9 @@ docker run -p 3000:3000 astral:latest
 
 # Configuration
 Astral is configured in `config/astral.yml` -- all availble
-configuration options are listed there in the `shared` section. Note
-that configuration values can be supplied in this file or as
+configuration options are listed in the `shared` section. Note that
+configuration values can be supplied in this file or as process
 environment variables with the same names (but
-UPPER_CASE). Environment vars will override any values
-here. Per-environment settings (development, test, production) will
-override the shared values but not the environment.
+UPPER_CASE). Environment vars will override any values in the config
+file.  Per-environment settings in the config file(development, test,
+production) will override the shared values for that type.

From 911d27ead59feff83383b2ecc0aaeb0c622a4801 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 15 Oct 2024 15:29:46 -0400
Subject: [PATCH 06/13] put private key in for dev container

---
 cert/vault.key | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 cert/vault.key

diff --git a/cert/vault.key b/cert/vault.key
new file mode 100644
index 0000000..20ddc1b
--- /dev/null
+++ b/cert/vault.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC4GT1p/wZyxvMs
+Z/N7g6HbSNqTCA6W+JbPryhy2YjVwdH+JwYQGy4GbXYxbKZp5ZXAf5/9/y6j8Bns
+Hrxv5pvCOb08aArhQE6ht0NTqaIYsSf/7TeW1e+da5ikLbrcFUcXVzKWtZPcbz4Y
+42G1AS9TLyyw01y6LUGK5WWy3ztD/8fyYVImG7q+8JGYKJpxI0fsLaEpDvHq5ZpO
+PMJqT0tbaWwK8CtDcLEjv1bxmXUpD6c8FzffRwuy1SM6USMyAFFLdIVizjgekhRJ
+POQTeO8NyR8O3ViT4Eq+ED051qk+oT99xvfHLOLk7BFMVYK3bYMmaOHlb9g060Og
+32lFbcuDgGaGI2d+0cQrWemQiWjEMi55dIqXDmGiA3o18r7s0bEt7lPKFBqjrRfP
+h9/+EqqpYkWjp623vOW+vHPgxUNcyGMXl/nZTcvhpJLOgBkjQnq7dSpV3LzrGNN3
+mJFpKxQye7rccbZPa82ln5Y6+g97H/oy1FNkzNcI+Fv3BOCSQOoM9uPB6NP5b3se
+JC8GW1ehLV/byfuwXSJJYo7csNiem90UTRR7ZDzjE8clbzATR0d+qJTf0idA5xDK
+U+JwxqzW+ktBZwwS2t+A1QaHj7frJt0FuN1Us+bX6GcJ6X+JJsjxEp+WbKIncgQV
+k6mcbVJmT6a4LyiFCN9oeDnkLM6L/wIDAQABAoICAHiLxmP+oplLXnWIR61r3vL4
+fG7kSrFea1nohqLVgDz/oeI6aUTolzWMPWVVkI4sz+bxarDlhAPCtyaeZaMcLId8
+SUYhlmYyNoq7tnE01Tg34Eo7aTfyM+kvSA7RBtcPc7J73VtD4GLp0I55bUQZV4Sv
+kiLi84fRFGa/mN0MQQFgnes/AIyFgb1/RsaMZ7yHbpPeuPVqnMvDtktei6sS6vQb
+TqzG4H1TcBpJMsQWSNovLsExLtub6LQbzepksJgQDytKTAELqUGTQ4dFQM7jVB0B
+wb15AIQrzKUxevXBcqbY7PsN6rbX1GYzkYwbPfGf2s2uxaP3nWnhVzIiuArHPwdp
+2hIXG7OUKNDHKSFCeVjbNpgElmiy9jAz78PouzNg/s2UMrLUixiZy/NctX6YWErt
+VCaTLx3eBxdXfrW8vxije610Bo7YRvIKlTwpILb0PJx0wwfRUS9JrlYdsOB32LHW
+TYvfwvE16UCFna9Ljcc9l5WVERnr7/RMnoM5mxizjoGZUp1HDBdbKqQwcUy9J7o4
+2xNAx96mi4E5u7/i5xr7BI/+HhDVVKeKBXa5GV78edWYAU8Xb38ZQvt98q/2D0eG
+CFddoGefiHEEpoVq2Z5uyIXhYKolNNvdQm9vZFjfJr4cwbKN0md45Og0T16BtxhF
+i39rDoXRmyrvUHIJH8VxAoIBAQDurKTo7e61LJXfET4ha2wzyKC/ClllRy0ywT/a
+tZh2uKcMGN/BV9GKMIZc0MpYkGEUfvxYOyN9hRCkVDujzRFKOGDyUdhb5EJ1pcs9
+E4AON8nPFkUQMNbihXYIKvgv/1gsMzlT/3cSMu3r4VUhY8ijVRUsioCaM8DwAzBP
+D/J3EpWFDIcoju5Srk+6/sRJdAW+6bbm7OT0lu9yOorjhqtaTCAKyylyDIGYCgI2
+nythwvOYSAm0w6yfd2i4sne2WL6RGIFZWyJGhKJg8JDXYnuG78l3+wD6Bd4GynL4
+qyEMQWjnlPpk+8W+cOvvY1o+c8onRFHvNydPy/9+Tvc5bMwnAoIBAQDFdmXS5Wd5
+onQaSwHbCzGbpbNSXmP8r/zuQ56kTdA/NL1kGUNw+h1f5eOQmZnn78zRqwWL2D/y
+iRm4qZXTinxrPHqx69/nFyjRSGaRe1Zl2xRWE8y3zg91WFJfk/zHghufIce5kMdw
+Q8dndCFbe6bep3igVGVjQHv+wuFsW+4YLJaUeDNWf4b/aeg6tTqzH5g05GABqQ4s
+JGMcxd7IPM2SKeShjleHBtlvTPTv0ks30dUjk1AbJHXeY9wY8Lb0eU+dRbx350Ey
+zL+Ijm6MSjBz+QT0DOf1hDebMUPcBGXjLur9l0scJdiRxAmzZ9iAsg8tBV9qeL5G
+VZg+lDhXDLBpAoIBAQDgmjUiQe4WLpvm7EoElxue65lhzjJsHXwKPFOD1MpiRshk
+mO/P+X1lxt5ab91LVKsW550+xoBSeas8iUwKjEtOBhotTxoE95wXLGtC0Zv7RUKz
+j6h0YRGG38NAUnd2a5ulFJtJUanSxXyiMk2zezxvf/zKCpiVBEj3VHjcngw1Q5bT
+OwPiBgd+ZS0Aswkyem2ByFxnmdyn03YHj9Ht5WhRNDwfDCq3ec9mrVyB3G2ttREZ
+aAlCQ7Wp52v0C3aecYr77gyjcyChLeXExf33wmSuie6U6u9zWZwj1dY17ozOBKvc
+6pRr/YaL/aX5hAyDouFE7IUSUVu8OyP20AbU0m6XAoIBAD7xAH/688LHz65Z3luN
+8+AjL0fAIqr3Be6Ey1qgGxMqonv3uZGXiCl7Q9BhxbcyrtzeYMQ0yB1tKi+8jq+B
+YytjedCg2Rv2O+KJ63fQErgg3xiY8xZbrn2/C3K/30FQ7bEJuXoi9g+I61TEpaVd
+gtFSHJcuj6rVcTDBuc0qeHhoLg9hSSv3NnbPsWCVSAK0vXWOnjOpSYU0jAst31eA
+Wh6PD/uXPbsiqchahXC0XZmLXx8Z49zjAFdFCXFBuW+wA3qkMfEeW5/vt9W1YPOC
+6nLtG3EXdBDEdl0XlQPauwdxeyIeSajNP30nOdhf75kGKOQ25DUyC6Srv/2ijVri
+BpECggEBAMo2jBvMu+Vu+IOIixU6BGGQiCMJGtEg6PnHaFBH2eCgHQ6WZhRb+4V0
+Xeuhz8zaOwxXFJX+OyQwqvTn1gq7W0qyKo37+qzQdYicuo10CAV9S7uS2rUSuV7b
+yP7zWTABxP9Yqmr+EQ17XbYoOV2kDE8DU+sCNsOxOrewnP8Kj+0Fxm8r8qDvR1pz
+tvuarGIc32Of4/2OAIXzPH3IF5mWYYuvGA8vgmk1ZM/lcZ3DYhWuT7UiWQIS5GB+
+NJYMf5xB9G5Wnmq5H9RmkeAozNjnSDZHGQiGLwKW4LVqbkSxGGbGpXS57Si+QvBJ
+7sscXOjF3wtZdFCFacS9FPm9KRjD7AU=
+-----END PRIVATE KEY-----

From 99e14c3bf1e115532cd8fd291db5d0a5fc2580c2 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 15 Oct 2024 15:38:13 -0400
Subject: [PATCH 07/13] add ssl client configs; adjust startup to make certs
 first

---
 .devcontainer/devcontainer.json |  2 +-
 app/lib/clients/vault.rb        | 12 +++++++++++-
 config/astral.yml               |  5 ++++-
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index f76ca12..32783cd 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -20,7 +20,7 @@
 	"forwardPorts": [3000, 5432, 8200],
 
 	// Use 'postCreateCommand' to run commands after the container is created.
-	"postCreateCommand": "bundle install && rake db:setup && rake configure:ssl",
+	"postCreateCommand": "bundle install && rake configure:ssl && rake db:setup",
 
 	// Configure tool-specific properties.
 	// "customizations": {},
diff --git a/app/lib/clients/vault.rb b/app/lib/clients/vault.rb
index 8e34749..10ec7d9 100644
--- a/app/lib/clients/vault.rb
+++ b/app/lib/clients/vault.rb
@@ -15,7 +15,9 @@ def client
         ::Vault::Client.new(
           address: address,
           token: token,
-          ssl_ca_cert: ssl_cert
+          ssl_ca_cert: ssl_cert,
+          ssl_pem_file: ssl_client_cert,
+          ssl_key_file: ssl_client_key
         )
       end
 
@@ -27,6 +29,14 @@ def ssl_cert
         Config[:vault_ssl_cert]
       end
 
+      def ssl_client_cert
+        Config[:vault_ssl_client_cert]
+      end
+
+      def ssl_client_key
+        Config[:vault_ssl_client_key]
+      end
+
       def enable_engine(mount, type)
         client.sys.mount(mount, type, "#{type} secrets engine")
       end
diff --git a/config/astral.yml b/config/astral.yml
index 96b89dc..b64806a 100644
--- a/config/astral.yml
+++ b/config/astral.yml
@@ -4,8 +4,11 @@ shared:
   vault_token:
   vault_addr:
   # if VAULT_ADDR is https with self-signed cert, need to provide
-  # path on disk to CA cert here
+  # CA cert (path to file)
   vault_ssl_cert:
+  # Vault client cert if required (path to file)
+  vault_ssl_client_cert:
+  vault_ssl_client_key:
 
   # Vault PKI configuration -- create root CA when true, or reference an existing
   vault_create_root: true

From 786b869d13bccf6d31dcca451c7763cdc554dd45 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 15 Oct 2024 16:16:52 -0400
Subject: [PATCH 08/13] don't regen keys during startup

---
 .devcontainer/devcontainer.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 32783cd..32d22d1 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -20,7 +20,7 @@
 	"forwardPorts": [3000, 5432, 8200],
 
 	// Use 'postCreateCommand' to run commands after the container is created.
-	"postCreateCommand": "bundle install && rake configure:ssl && rake db:setup",
+	"postCreateCommand": "bundle install && rake db:setup",
 
 	// Configure tool-specific properties.
 	// "customizations": {},

From b8bc4d51b61e93ce4f80ea83a5489abfae75de18 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 15 Oct 2024 16:35:01 -0400
Subject: [PATCH 09/13] remove TLS from devcontainer

---
 .devcontainer/docker-compose.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
index df003fa..2b410a8 100644
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -12,7 +12,7 @@ services:
     # Overrides default command so things don't shut down after the process ends.
     command: sleep infinity
     environment:
-      VAULT_ADDR: https://vault:8200
+      VAULT_ADDR: http://vault:8200
       VAULT_TOKEN: root_token
       VAULT_CREATE_ROOT: true
       VAULT_ROOT_CA_MOUNT: pki
@@ -37,7 +37,7 @@ services:
                 {
                     "tcp": {
                         "address": "0.0.0.0:8443",
-                        "tls_disable": "0",
+                        "tls_disable": "1",
                         "tls_cert_file": "/vault/cert/vault.pem",
                         "tls_key_file": "/vault/cert/vault.key"
                     }

From c5a0fc45c442237a9b79b2cd36d70a184b4441b3 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 15 Oct 2024 16:43:51 -0400
Subject: [PATCH 10/13] comment out ssl cert

---
 .devcontainer/docker-compose.yml |  2 +-
 README.md                        | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
index 2b410a8..883f0f2 100644
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -17,7 +17,7 @@ services:
       VAULT_CREATE_ROOT: true
       VAULT_ROOT_CA_MOUNT: pki
       VAULT_ROOT_CA_REF: root-ca
-      VAULT_SSL_CERT: cert/vault.pem
+      # VAULT_SSL_CERT: cert/vault.pem
       JWT_SIGNING_KEY: jwt_secret
       APP_REGISTRY_ADDR: http://app_registry:8800
       APP_REGISTRY_TOKEN: app_reg_token
diff --git a/README.md b/README.md
index 35d78b8..df5dcc9 100644
--- a/README.md
+++ b/README.md
@@ -70,3 +70,22 @@ environment variables with the same names (but
 UPPER_CASE). Environment vars will override any values in the config
 file.  Per-environment settings in the config file(development, test,
 production) will override the shared values for that type.
+
+## mTLS connections
+Astral can connect to Vault with client and server SSL certificates. Just
+set the following values in `config/astral.yml`:
+```
+  vault_ssl_cert:
+  vault_ssl_client_cert:
+  vault_ssl_client_key:
+```
+A self-signed server cert for Vault can be generated with the following 
+command:
+```
+rake configure:ssl
+```
+
+To use in the devcontainer, edit `.devcontainer/docker-compose.yml` so
+that the `app` service has `VAULT_ADDRESS` of `https://vault:8200` and
+the `VAULT_SSL_CERT` value us uncommented. The `vault` service needs
+`tls_disable` set to `0`.

From a3e2edaba296c07d467d685cc65d033b49ce332d Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Wed, 16 Oct 2024 10:52:47 -0400
Subject: [PATCH 11/13] Update readme typo

---
 README.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index df5dcc9..3da6aeb 100644
--- a/README.md
+++ b/README.md
@@ -72,7 +72,7 @@ file.  Per-environment settings in the config file(development, test,
 production) will override the shared values for that type.
 
 ## mTLS connections
-Astral can connect to Vault with client and server SSL certificates. Just
+Astral can connect to Vault with mTLS. Just
 set the following values in `config/astral.yml`:
 ```
   vault_ssl_cert:
@@ -87,5 +87,6 @@ rake configure:ssl
 
 To use in the devcontainer, edit `.devcontainer/docker-compose.yml` so
 that the `app` service has `VAULT_ADDRESS` of `https://vault:8200` and
-the `VAULT_SSL_CERT` value us uncommented. The `vault` service needs
-`tls_disable` set to `0`.
+the `VAULT_SSL_CERT` value is uncommented. Finally, the `vault`
+service needs `tls_disable` in the `VAULT_LOCAL_CONFIG` set to
+`0`. Restart.

From 4824594e74623a6427b1767628f5a65856f28165 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Wed, 16 Oct 2024 20:42:21 -0400
Subject: [PATCH 12/13] simplify activating ssl in devcontainer

---
 .devcontainer/docker-compose.yml |  5 +++--
 README.md                        |  7 ++-----
 test/lib/clients/vault_test.rb   | 17 ++++++++++++++++-
 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
index 883f0f2..2304b3e 100644
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -26,7 +26,8 @@ services:
     image: hashicorp/vault:latest
     restart: unless-stopped
     ports:
-      - 8200:8443
+      - 8200:8200
+      - 8443:8443
     volumes:
       - ../cert:/vault/cert
     environment:
@@ -37,7 +38,7 @@ services:
                 {
                     "tcp": {
                         "address": "0.0.0.0:8443",
-                        "tls_disable": "1",
+                        "tls_disable": "0",
                         "tls_cert_file": "/vault/cert/vault.pem",
                         "tls_key_file": "/vault/cert/vault.key"
                     }
diff --git a/README.md b/README.md
index 3da6aeb..00ca829 100644
--- a/README.md
+++ b/README.md
@@ -85,8 +85,5 @@ command:
 rake configure:ssl
 ```
 
-To use in the devcontainer, edit `.devcontainer/docker-compose.yml` so
-that the `app` service has `VAULT_ADDRESS` of `https://vault:8200` and
-the `VAULT_SSL_CERT` value is uncommented. Finally, the `vault`
-service needs `tls_disable` in the `VAULT_LOCAL_CONFIG` set to
-`0`. Restart.
+To use SSL in the devcontainer, edit `.devcontainer/docker-compose.yml` so
+that the `app` service has `VAULT_ADDRESS` of `https://vault:8443`. 
diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb
index e18337c..51ca0a8 100644
--- a/test/lib/clients/vault_test.rb
+++ b/test/lib/clients/vault_test.rb
@@ -115,7 +115,10 @@ class VaultTest < ActiveSupport::TestCase
   def vault_client
     ::Vault::Client.new(
           address: vault_addr,
-          token: vault_token
+          token: vault_token,
+          ssl_ca_cert: ssl_cert,
+          ssl_pem_file: ssl_client_cert,
+          ssl_key_file: ssl_client_key
     )
   end
 
@@ -126,4 +129,16 @@ def vault_addr
   def vault_token
     Config[:vault_token]
   end
+
+  def ssl_cert
+    Config[:vault_ssl_cert]
+  end
+
+  def ssl_client_cert
+    Config[:vault_ssl_client_cert]
+  end
+
+  def ssl_client_key
+    Config[:vault_ssl_client_key]
+  end
 end

From 62a75277101d1514699ece80b3a73ec45e2b6d4b Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Thu, 17 Oct 2024 10:46:06 -0400
Subject: [PATCH 13/13] Update readme and uncomment cert config even when using
 http

---
 .devcontainer/docker-compose.yml | 2 +-
 config/astral.yml                | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
index 2304b3e..2b58180 100644
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -17,7 +17,7 @@ services:
       VAULT_CREATE_ROOT: true
       VAULT_ROOT_CA_MOUNT: pki
       VAULT_ROOT_CA_REF: root-ca
-      # VAULT_SSL_CERT: cert/vault.pem
+      VAULT_SSL_CERT: cert/vault.pem
       JWT_SIGNING_KEY: jwt_secret
       APP_REGISTRY_ADDR: http://app_registry:8800
       APP_REGISTRY_TOKEN: app_reg_token
diff --git a/config/astral.yml b/config/astral.yml
index b64806a..15eda38 100644
--- a/config/astral.yml
+++ b/config/astral.yml
@@ -4,7 +4,7 @@ shared:
   vault_token:
   vault_addr:
   # if VAULT_ADDR is https with self-signed cert, need to provide
-  # CA cert (path to file)
+  # CA cert (path to file) in "vault_ssl_cert" below:
   vault_ssl_cert:
   # Vault client cert if required (path to file)
   vault_ssl_client_cert: