diff --git a/bin/tee-vault-unseal/src/main.rs b/bin/tee-vault-unseal/src/main.rs index 2244c5a..4b62483 100644 --- a/bin/tee-vault-unseal/src/main.rs +++ b/bin/tee-vault-unseal/src/main.rs @@ -61,6 +61,8 @@ pub struct UnsealServerConfig { pub vault_auth_tee_sha: String, /// version string of the vault_auth_tee plugin pub vault_auth_tee_version: String, + /// the common cacert file for the vault cluster + pub ca_cert_file: PathBuf, } /// Server state @@ -101,6 +103,9 @@ struct Args { vault_auth_tee_sha_file: Option, #[arg(long, env = "VAULT_AUTH_TEE_VERSION")] vault_auth_tee_version: String, + /// ca cert file + #[arg(long, env = "CA_CERT_FILE", default_value = "/opt/vault/cacert.pem")] + ca_cert_file: PathBuf, #[clap(flatten)] pub attestation: VaultAttestationArgs, } @@ -156,6 +161,7 @@ async fn main() -> Result<()> { allowed_tcb_levels: Some(args.allowed_tcb_levels), vault_auth_tee_sha: args.vault_auth_tee_sha, vault_auth_tee_version: args.vault_auth_tee_version, + ca_cert_file: args.ca_cert_file, }); let server_state = Arc::new(RwLock::new(server_state)); diff --git a/bin/tee-vault-unseal/src/unseal.rs b/bin/tee-vault-unseal/src/unseal.rs index 0dee3d0..7d2c011 100644 --- a/bin/tee-vault-unseal/src/unseal.rs +++ b/bin/tee-vault-unseal/src/unseal.rs @@ -130,7 +130,7 @@ pub async fn post_unseal( info!("Vault is unsealed and hopefully configured!"); info!("Initiating raft join"); // load TLS cert chain - let mut cert_file = File::open("/opt/vault/tls/cacert.pem") + let mut cert_file = File::open(&app.ca_cert_file) .context("Failed to open TLS cert chain") .status(StatusCode::INTERNAL_SERVER_ERROR)?; diff --git a/packages/container-vault-start-config/cacert.conf b/packages/container-vault-start-config/cacert.conf new file mode 100644 index 0000000..90b802f --- /dev/null +++ b/packages/container-vault-start-config/cacert.conf @@ -0,0 +1,14 @@ +[ req ] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca +prompt = no + +[ req_distinguished_name ] +O = Test CA, Limited +CN = Test CA + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical,CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign diff --git a/packages/container-vault-start-config/cacert.pem b/packages/container-vault-start-config/cacert.pem index 405b43f..d4289dc 100644 --- a/packages/container-vault-start-config/cacert.pem +++ b/packages/container-vault-start-config/cacert.pem @@ -1,7 +1,7 @@ -----BEGIN CERTIFICATE----- -MIIFSDCCAzCgAwIBAgIUDjUfoOY4o+E38mka8ViQOPpHBhgwDQYJKoZIhvcNAQEL +MIIFSzCCAzOgAwIBAgIUI3GSJC4gh0ywYnHvGadGnt6N/6EwDQYJKoZIhvcNAQEL BQAwLTEZMBcGA1UECgwQVGVzdCBDQSwgTGltaXRlZDEQMA4GA1UEAwwHVGVzdCBD -QTAeFw0yMzA2MDYwNzU4MTNaFw0yNDA2MDUwNzU4MTNaMC0xGTAXBgNVBAoMEFRl +QTAeFw0yNDA3MDMwOTExNDVaFw0zNDA3MDEwOTExNDVaMC0xGTAXBgNVBAoMEFRl c3QgQ0EsIExpbWl0ZWQxEDAOBgNVBAMMB1Rlc3QgQ0EwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQD4hjplzpqaXoWL/8bex/zBStuYmBuOGvIELS5aiHfw XfGnOwIViIMf+ikuxASYj3AmEmPOCXXbUsARe/0cHn438rVbeFK6cJl/kXlwGMOy @@ -14,18 +14,18 @@ dTfsMir/q50io/l3nbPlzA28GwlZ3owdi22/Tdc+yg7NxOHPpJ6ZULK6d9n1glV5 PDkO9J8Ad1MZwkKKMh+tPdccNarUkdBj0K8tpZqBmjhMWQddwAd5MZGWS0VBKBZb b5Z9ivqZ70oQSx8HKE3EGWSfT6ZJVhQ4XDAdMpw+wQcZQ+6twIpAQU3k6imJ4yGz ZYIOF2izn8Z4vBE4I/vKrpFci3mBDIJl59x49uAi5KpTBeeY/lLMnFLRa5sDUtLn -kwIDAQABo2AwXjAdBgNVHQ4EFgQU4ZHyVkjYaunC0Rk9PtDsk8nALhcwHwYDVR0j -BBgwFoAU4ZHyVkjYaunC0Rk9PtDsk8nALhcwDwYDVR0TAQH/BAUwAwEB/zALBgNV -HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAIGigs3CZO1DdnaxZwUghMm95NAX -D7vKYFAmoNtbVBv1NAfpv23XOhAzccEFGg20XEa1t2z0Nfct9NDXxZ2VCgU+9vws -d96EBkufgnKrc/hLxRnVsExQxy5FKYz/d5LePeYd1OFS0bw+DRpzEnFZm34vpToj -mku845LtHbeZEzaVdzaSu9m7YcoENGgGuOlsgvp/qB6MlxI0fHG5M2M5aLnIEyIv -QAMmX42eJ09jhaLr8dl2zLImyIYO0dMO0NNl5gU01cpJ5REHJ3e3oUDUJ5ZZCL51 -/VYSd/btHYRCdH/w6FSUOGGwU38LhhbeD94103gkKS5bfIui77sY0F3jRIluVQci -PnKzRNsfl5uL8KICDJtT6uNwkhSG4ucYNAb21eo6idzyMe4qdJz1poPjmph19rnU -oAE/0+jqOyVErBZuRAL9wbQg1Prqx1WBsOIUyi5Y7qAUt+AuDt0uf4mdRnE1yDvw -o0CIz3XLD1YoHXqJ/Nu1By1fI2zA0Y7osSX4SzfbD0EUXqjUyy80KrvKmJaV8lMd -1/jGHuApNQjZFwbY+RN0OTtDk7zPAETaGz/15BEmVDpq0OAVqe0XrXpQfaYwHzzq -TsOvVYZSj2gsDbKzM8tmCkLoS+Yh5ubxaoIE2qCjvFNXZwFzqQtDgBKQhjuE54+K -lweZ5hgUkLPf5EW0 +kwIDAQABo2MwYTAdBgNVHQ4EFgQU4ZHyVkjYaunC0Rk9PtDsk8nALhcwHwYDVR0j +BBgwFoAU4ZHyVkjYaunC0Rk9PtDsk8nALhcwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAGkEXb0JkTTRY66Ro1JqHC1Q +C1jPK9tdqAvIdCj0smgp7htKs4ib7WW6RAxwNuEU+1Ls3pizorU7y1pR/bLsqGae +UykXjbJuR7Rk8DXAJScr5JOmUqzwKJVq6CQp2co9ccuJxhsPwvWhFPj7jWUXwaKT +4UzGPZnfgQ3JfBRNND8CCLfDhKgHFkEsIodCw1BmGgOW8NGuIwDeJuhslT8Cjvmg +VQ6Xxkv3TJvMOti5hdql2VnYZZDSZfBuJ2rOp1Z6L+yxiTVg0suAUsypTh9oIup3 +uSA2InYdHF40XB2nNYlsZZkdNowHiadGn5oG8JWe1ovSjnSaCyWt3LgWrteYciUH +TL5FFmwLa8CTQvvJD6O/GnV4o4BIpUxeouRiDHHoEDvKtrOdmvSxNeChJNrFBWUs +RFlZndkxI8rai3ntZrOgveb4HkGTsMkLu2fuOaD86Zt/1jigwkYSUTPZR54b0UGw +2v4OySN/lLMh0/jgU8pA7LxmuKbiTVS4mooJn5fr10neHLK/M1wpvCBfaYS0Z+C5 +iD1XTNksNSoE3QByFWl03uYZG6hwTTRrd7cLs1Q8cww1DXjk43GsXteUuooniF4T +kqrQm/RPexGk9fHWfkMmM0PQeO0PpBU3Dnz0eZWVRMsFIU8vQzx4AS3nx1pafCHw +VWUxQhezhtddld0pMJe+ -----END CERTIFICATE----- diff --git a/packages/container-vault-unseal-sgx-azure/default.nix b/packages/container-vault-unseal-sgx-azure/default.nix index 3ec1271..a981866 100644 --- a/packages/container-vault-unseal-sgx-azure/default.nix +++ b/packages/container-vault-unseal-sgx-azure/default.nix @@ -12,6 +12,7 @@ nixsgxLib.mkSGXContainer { inherit tag isAzure; packages = [ + teepot.container-vault-start-config vat.vault-auth-tee.sha teepot.teepot.tee_vault_unseal ];