fix: update the common cacert and include it in the unseal container

The previous cacert expired. A new one was created and also included in the unseal container. The path to access the cacert was fixed in the unseal app and made configurable via an environment variable.
2025-07-23 16:04:46 +02:00 · 2024-07-03 11:23:54 +02:00 · 2024-07-03 11:23:54 +02:00 · f1b8a48a6a
commit f1b8a48a6a
parent e3feac1cc3
5 changed files with 38 additions and 17 deletions
--- a/bin/tee-vault-unseal/src/unseal.rs
+++ b/bin/tee-vault-unseal/src/unseal.rs
@ -130,7 +130,7 @@ pub async fn post_unseal(
                info!("Vault is unsealed and hopefully configured!");
                info!("Initiating raft join");
                // load TLS cert chain
-                let mut cert_file = File::open("/opt/vault/tls/cacert.pem")
+                let mut cert_file = File::open(&app.ca_cert_file)
                    .context("Failed to open TLS cert chain")
                    .status(StatusCode::INTERNAL_SERVER_ERROR)?;