mirror of
https://github.com/matter-labs/teepot.git
synced 2025-07-21 15:13:56 +02:00
fix: update the common cacert and include it in the unseal container
The previous cacert expired. A new one was created and also included in the unseal container. The path to access the cacert was fixed in the unseal app and made configurable via an environment variable.
This commit is contained in:
Harald Hoyer
parent
e3feac1cc3
commit
f1b8a48a6a
GPG key ID:
F519A1143B3FBE32
5 changed files with 38 additions and 17 deletions
|
|
@ -61,6 +61,8 @@ pub struct UnsealServerConfig {
|
|||
pub vault_auth_tee_sha: String,
|
||||
/// version string of the vault_auth_tee plugin
|
||||
pub vault_auth_tee_version: String,
|
||||
/// the common cacert file for the vault cluster
|
||||
pub ca_cert_file: PathBuf,
|
||||
}
|
||||
|
||||
/// Server state
|
||||
|
|
@ -101,6 +103,9 @@ struct Args {
|
|||
vault_auth_tee_sha_file: Option<PathBuf>,
|
||||
#[arg(long, env = "VAULT_AUTH_TEE_VERSION")]
|
||||
vault_auth_tee_version: String,
|
||||
/// ca cert file
|
||||
#[arg(long, env = "CA_CERT_FILE", default_value = "/opt/vault/cacert.pem")]
|
||||
ca_cert_file: PathBuf,
|
||||
#[clap(flatten)]
|
||||
pub attestation: VaultAttestationArgs,
|
||||
}
|
||||
|
|
@ -156,6 +161,7 @@ async fn main() -> Result<()> {
|
|||
allowed_tcb_levels: Some(args.allowed_tcb_levels),
|
||||
vault_auth_tee_sha: args.vault_auth_tee_sha,
|
||||
vault_auth_tee_version: args.vault_auth_tee_version,
|
||||
ca_cert_file: args.ca_cert_file,
|
||||
});
|
||||
|
||||
let server_state = Arc::new(RwLock::new(server_state));
|
||||
|
|
|
|||
|
|
@ -130,7 +130,7 @@ pub async fn post_unseal(
|
|||
info!("Vault is unsealed and hopefully configured!");
|
||||
info!("Initiating raft join");
|
||||
// load TLS cert chain
|
||||
let mut cert_file = File::open("/opt/vault/tls/cacert.pem")
|
||||
let mut cert_file = File::open(&app.ca_cert_file)
|
||||
.context("Failed to open TLS cert chain")
|
||||
.status(StatusCode::INTERNAL_SERVER_ERROR)?;
|
||||
|
||||
|
|
|
|||
14
packages/container-vault-start-config/cacert.conf
Normal file
14
packages/container-vault-start-config/cacert.conf
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
[ req ]
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_ca
|
||||
prompt = no
|
||||
|
||||
[ req_distinguished_name ]
|
||||
O = Test CA, Limited
|
||||
CN = Test CA
|
||||
|
||||
[ v3_ca ]
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFSDCCAzCgAwIBAgIUDjUfoOY4o+E38mka8ViQOPpHBhgwDQYJKoZIhvcNAQEL
|
||||
MIIFSzCCAzOgAwIBAgIUI3GSJC4gh0ywYnHvGadGnt6N/6EwDQYJKoZIhvcNAQEL
|
||||
BQAwLTEZMBcGA1UECgwQVGVzdCBDQSwgTGltaXRlZDEQMA4GA1UEAwwHVGVzdCBD
|
||||
QTAeFw0yMzA2MDYwNzU4MTNaFw0yNDA2MDUwNzU4MTNaMC0xGTAXBgNVBAoMEFRl
|
||||
QTAeFw0yNDA3MDMwOTExNDVaFw0zNDA3MDEwOTExNDVaMC0xGTAXBgNVBAoMEFRl
|
||||
c3QgQ0EsIExpbWl0ZWQxEDAOBgNVBAMMB1Rlc3QgQ0EwggIiMA0GCSqGSIb3DQEB
|
||||
AQUAA4ICDwAwggIKAoICAQD4hjplzpqaXoWL/8bex/zBStuYmBuOGvIELS5aiHfw
|
||||
XfGnOwIViIMf+ikuxASYj3AmEmPOCXXbUsARe/0cHn438rVbeFK6cJl/kXlwGMOy
|
||||
|
|
@ -14,18 +14,18 @@ dTfsMir/q50io/l3nbPlzA28GwlZ3owdi22/Tdc+yg7NxOHPpJ6ZULK6d9n1glV5
|
|||
PDkO9J8Ad1MZwkKKMh+tPdccNarUkdBj0K8tpZqBmjhMWQddwAd5MZGWS0VBKBZb
|
||||
b5Z9ivqZ70oQSx8HKE3EGWSfT6ZJVhQ4XDAdMpw+wQcZQ+6twIpAQU3k6imJ4yGz
|
||||
ZYIOF2izn8Z4vBE4I/vKrpFci3mBDIJl59x49uAi5KpTBeeY/lLMnFLRa5sDUtLn
|
||||
kwIDAQABo2AwXjAdBgNVHQ4EFgQU4ZHyVkjYaunC0Rk9PtDsk8nALhcwHwYDVR0j
|
||||
BBgwFoAU4ZHyVkjYaunC0Rk9PtDsk8nALhcwDwYDVR0TAQH/BAUwAwEB/zALBgNV
|
||||
HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAIGigs3CZO1DdnaxZwUghMm95NAX
|
||||
D7vKYFAmoNtbVBv1NAfpv23XOhAzccEFGg20XEa1t2z0Nfct9NDXxZ2VCgU+9vws
|
||||
d96EBkufgnKrc/hLxRnVsExQxy5FKYz/d5LePeYd1OFS0bw+DRpzEnFZm34vpToj
|
||||
mku845LtHbeZEzaVdzaSu9m7YcoENGgGuOlsgvp/qB6MlxI0fHG5M2M5aLnIEyIv
|
||||
QAMmX42eJ09jhaLr8dl2zLImyIYO0dMO0NNl5gU01cpJ5REHJ3e3oUDUJ5ZZCL51
|
||||
/VYSd/btHYRCdH/w6FSUOGGwU38LhhbeD94103gkKS5bfIui77sY0F3jRIluVQci
|
||||
PnKzRNsfl5uL8KICDJtT6uNwkhSG4ucYNAb21eo6idzyMe4qdJz1poPjmph19rnU
|
||||
oAE/0+jqOyVErBZuRAL9wbQg1Prqx1WBsOIUyi5Y7qAUt+AuDt0uf4mdRnE1yDvw
|
||||
o0CIz3XLD1YoHXqJ/Nu1By1fI2zA0Y7osSX4SzfbD0EUXqjUyy80KrvKmJaV8lMd
|
||||
1/jGHuApNQjZFwbY+RN0OTtDk7zPAETaGz/15BEmVDpq0OAVqe0XrXpQfaYwHzzq
|
||||
TsOvVYZSj2gsDbKzM8tmCkLoS+Yh5ubxaoIE2qCjvFNXZwFzqQtDgBKQhjuE54+K
|
||||
lweZ5hgUkLPf5EW0
|
||||
kwIDAQABo2MwYTAdBgNVHQ4EFgQU4ZHyVkjYaunC0Rk9PtDsk8nALhcwHwYDVR0j
|
||||
BBgwFoAU4ZHyVkjYaunC0Rk9PtDsk8nALhcwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
|
||||
HQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAGkEXb0JkTTRY66Ro1JqHC1Q
|
||||
C1jPK9tdqAvIdCj0smgp7htKs4ib7WW6RAxwNuEU+1Ls3pizorU7y1pR/bLsqGae
|
||||
UykXjbJuR7Rk8DXAJScr5JOmUqzwKJVq6CQp2co9ccuJxhsPwvWhFPj7jWUXwaKT
|
||||
4UzGPZnfgQ3JfBRNND8CCLfDhKgHFkEsIodCw1BmGgOW8NGuIwDeJuhslT8Cjvmg
|
||||
VQ6Xxkv3TJvMOti5hdql2VnYZZDSZfBuJ2rOp1Z6L+yxiTVg0suAUsypTh9oIup3
|
||||
uSA2InYdHF40XB2nNYlsZZkdNowHiadGn5oG8JWe1ovSjnSaCyWt3LgWrteYciUH
|
||||
TL5FFmwLa8CTQvvJD6O/GnV4o4BIpUxeouRiDHHoEDvKtrOdmvSxNeChJNrFBWUs
|
||||
RFlZndkxI8rai3ntZrOgveb4HkGTsMkLu2fuOaD86Zt/1jigwkYSUTPZR54b0UGw
|
||||
2v4OySN/lLMh0/jgU8pA7LxmuKbiTVS4mooJn5fr10neHLK/M1wpvCBfaYS0Z+C5
|
||||
iD1XTNksNSoE3QByFWl03uYZG6hwTTRrd7cLs1Q8cww1DXjk43GsXteUuooniF4T
|
||||
kqrQm/RPexGk9fHWfkMmM0PQeO0PpBU3Dnz0eZWVRMsFIU8vQzx4AS3nx1pafCHw
|
||||
VWUxQhezhtddld0pMJe+
|
||||
-----END CERTIFICATE-----
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ nixsgxLib.mkSGXContainer {
|
|||
inherit tag isAzure;
|
||||
|
||||
packages = [
|
||||
teepot.container-vault-start-config
|
||||
vat.vault-auth-tee.sha
|
||||
teepot.teepot.tee_vault_unseal
|
||||
];
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue