mirror of
https://github.com/matter-labs/teepot.git
synced 2025-07-21 15:13:56 +02:00
Merge pull request #148 from matter-labs/cacert
fix: update the common `cacert` and include it in the unseal container
This commit is contained in:
Harald Hoyer
GitHub
commit
8402eb6bd8
5 changed files with 38 additions and 17 deletions
|
|
@ -61,6 +61,8 @@ pub struct UnsealServerConfig {
|
|||
pub vault_auth_tee_sha: String,
|
||||
/// version string of the vault_auth_tee plugin
|
||||
pub vault_auth_tee_version: String,
|
||||
/// the common cacert file for the vault cluster
|
||||
pub ca_cert_file: PathBuf,
|
||||
}
|
||||
|
||||
/// Server state
|
||||
|
|
@ -101,6 +103,9 @@ struct Args {
|
|||
vault_auth_tee_sha_file: Option<PathBuf>,
|
||||
#[arg(long, env = "VAULT_AUTH_TEE_VERSION")]
|
||||
vault_auth_tee_version: String,
|
||||
/// ca cert file
|
||||
#[arg(long, env = "CA_CERT_FILE", default_value = "/opt/vault/cacert.pem")]
|
||||
ca_cert_file: PathBuf,
|
||||
#[clap(flatten)]
|
||||
pub attestation: VaultAttestationArgs,
|
||||
}
|
||||
|
|
@ -156,6 +161,7 @@ async fn main() -> Result<()> {
|
|||
allowed_tcb_levels: Some(args.allowed_tcb_levels),
|
||||
vault_auth_tee_sha: args.vault_auth_tee_sha,
|
||||
vault_auth_tee_version: args.vault_auth_tee_version,
|
||||
ca_cert_file: args.ca_cert_file,
|
||||
});
|
||||
|
||||
let server_state = Arc::new(RwLock::new(server_state));
|
||||
|
|
|
|||
|
|
@ -130,7 +130,7 @@ pub async fn post_unseal(
|
|||
info!("Vault is unsealed and hopefully configured!");
|
||||
info!("Initiating raft join");
|
||||
// load TLS cert chain
|
||||
let mut cert_file = File::open("/opt/vault/tls/cacert.pem")
|
||||
let mut cert_file = File::open(&app.ca_cert_file)
|
||||
.context("Failed to open TLS cert chain")
|
||||
.status(StatusCode::INTERNAL_SERVER_ERROR)?;
|
||||
|
||||
|
|
|
|||
14
packages/container-vault-start-config/cacert.conf
Normal file
14
packages/container-vault-start-config/cacert.conf
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
[ req ]
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_ca
|
||||
prompt = no
|
||||
|
||||
[ req_distinguished_name ]
|
||||
O = Test CA, Limited
|
||||
CN = Test CA
|
||||
|
||||
[ v3_ca ]
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFSDCCAzCgAwIBAgIUDjUfoOY4o+E38mka8ViQOPpHBhgwDQYJKoZIhvcNAQEL
|
||||
MIIFSzCCAzOgAwIBAgIUI3GSJC4gh0ywYnHvGadGnt6N/6EwDQYJKoZIhvcNAQEL
|
||||
BQAwLTEZMBcGA1UECgwQVGVzdCBDQSwgTGltaXRlZDEQMA4GA1UEAwwHVGVzdCBD
|
||||
QTAeFw0yMzA2MDYwNzU4MTNaFw0yNDA2MDUwNzU4MTNaMC0xGTAXBgNVBAoMEFRl
|
||||
QTAeFw0yNDA3MDMwOTExNDVaFw0zNDA3MDEwOTExNDVaMC0xGTAXBgNVBAoMEFRl
|
||||
c3QgQ0EsIExpbWl0ZWQxEDAOBgNVBAMMB1Rlc3QgQ0EwggIiMA0GCSqGSIb3DQEB
|
||||
AQUAA4ICDwAwggIKAoICAQD4hjplzpqaXoWL/8bex/zBStuYmBuOGvIELS5aiHfw
|
||||
XfGnOwIViIMf+ikuxASYj3AmEmPOCXXbUsARe/0cHn438rVbeFK6cJl/kXlwGMOy
|
||||
|
|
@ -14,18 +14,18 @@ dTfsMir/q50io/l3nbPlzA28GwlZ3owdi22/Tdc+yg7NxOHPpJ6ZULK6d9n1glV5
|
|||
PDkO9J8Ad1MZwkKKMh+tPdccNarUkdBj0K8tpZqBmjhMWQddwAd5MZGWS0VBKBZb
|
||||
b5Z9ivqZ70oQSx8HKE3EGWSfT6ZJVhQ4XDAdMpw+wQcZQ+6twIpAQU3k6imJ4yGz
|
||||
ZYIOF2izn8Z4vBE4I/vKrpFci3mBDIJl59x49uAi5KpTBeeY/lLMnFLRa5sDUtLn
|
||||
kwIDAQABo2AwXjAdBgNVHQ4EFgQU4ZHyVkjYaunC0Rk9PtDsk8nALhcwHwYDVR0j
|
||||
BBgwFoAU4ZHyVkjYaunC0Rk9PtDsk8nALhcwDwYDVR0TAQH/BAUwAwEB/zALBgNV
|
||||
HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAIGigs3CZO1DdnaxZwUghMm95NAX
|
||||
D7vKYFAmoNtbVBv1NAfpv23XOhAzccEFGg20XEa1t2z0Nfct9NDXxZ2VCgU+9vws
|
||||
d96EBkufgnKrc/hLxRnVsExQxy5FKYz/d5LePeYd1OFS0bw+DRpzEnFZm34vpToj
|
||||
mku845LtHbeZEzaVdzaSu9m7YcoENGgGuOlsgvp/qB6MlxI0fHG5M2M5aLnIEyIv
|
||||
QAMmX42eJ09jhaLr8dl2zLImyIYO0dMO0NNl5gU01cpJ5REHJ3e3oUDUJ5ZZCL51
|
||||
/VYSd/btHYRCdH/w6FSUOGGwU38LhhbeD94103gkKS5bfIui77sY0F3jRIluVQci
|
||||
PnKzRNsfl5uL8KICDJtT6uNwkhSG4ucYNAb21eo6idzyMe4qdJz1poPjmph19rnU
|
||||
oAE/0+jqOyVErBZuRAL9wbQg1Prqx1WBsOIUyi5Y7qAUt+AuDt0uf4mdRnE1yDvw
|
||||
o0CIz3XLD1YoHXqJ/Nu1By1fI2zA0Y7osSX4SzfbD0EUXqjUyy80KrvKmJaV8lMd
|
||||
1/jGHuApNQjZFwbY+RN0OTtDk7zPAETaGz/15BEmVDpq0OAVqe0XrXpQfaYwHzzq
|
||||
TsOvVYZSj2gsDbKzM8tmCkLoS+Yh5ubxaoIE2qCjvFNXZwFzqQtDgBKQhjuE54+K
|
||||
lweZ5hgUkLPf5EW0
|
||||
kwIDAQABo2MwYTAdBgNVHQ4EFgQU4ZHyVkjYaunC0Rk9PtDsk8nALhcwHwYDVR0j
|
||||
BBgwFoAU4ZHyVkjYaunC0Rk9PtDsk8nALhcwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
|
||||
HQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAGkEXb0JkTTRY66Ro1JqHC1Q
|
||||
C1jPK9tdqAvIdCj0smgp7htKs4ib7WW6RAxwNuEU+1Ls3pizorU7y1pR/bLsqGae
|
||||
UykXjbJuR7Rk8DXAJScr5JOmUqzwKJVq6CQp2co9ccuJxhsPwvWhFPj7jWUXwaKT
|
||||
4UzGPZnfgQ3JfBRNND8CCLfDhKgHFkEsIodCw1BmGgOW8NGuIwDeJuhslT8Cjvmg
|
||||
VQ6Xxkv3TJvMOti5hdql2VnYZZDSZfBuJ2rOp1Z6L+yxiTVg0suAUsypTh9oIup3
|
||||
uSA2InYdHF40XB2nNYlsZZkdNowHiadGn5oG8JWe1ovSjnSaCyWt3LgWrteYciUH
|
||||
TL5FFmwLa8CTQvvJD6O/GnV4o4BIpUxeouRiDHHoEDvKtrOdmvSxNeChJNrFBWUs
|
||||
RFlZndkxI8rai3ntZrOgveb4HkGTsMkLu2fuOaD86Zt/1jigwkYSUTPZR54b0UGw
|
||||
2v4OySN/lLMh0/jgU8pA7LxmuKbiTVS4mooJn5fr10neHLK/M1wpvCBfaYS0Z+C5
|
||||
iD1XTNksNSoE3QByFWl03uYZG6hwTTRrd7cLs1Q8cww1DXjk43GsXteUuooniF4T
|
||||
kqrQm/RPexGk9fHWfkMmM0PQeO0PpBU3Dnz0eZWVRMsFIU8vQzx4AS3nx1pafCHw
|
||||
VWUxQhezhtddld0pMJe+
|
||||
-----END CERTIFICATE-----
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ nixsgxLib.mkSGXContainer {
|
|||
inherit tag isAzure;
|
||||
|
||||
packages = [
|
||||
teepot.container-vault-start-config
|
||||
vat.vault-auth-tee.sha
|
||||
teepot.teepot.tee_vault_unseal
|
||||
];
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue