From 260b2d43644dc915892081a922210d6c3b72e142 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 3 May 2026 00:10:08 +1000 Subject: [PATCH] chore: mount vault CA cert for Node.js TLS trust in paperclip (#108) Mount the vault-ca-cert secret and set NODE_EXTRA_CA_CERTS so Node.js trusts the internal CA chain when making outbound TLS connections. Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/108 --- apps/base/paperclip/deployment.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/apps/base/paperclip/deployment.yaml b/apps/base/paperclip/deployment.yaml index 39d0616..e6e88c4 100644 --- a/apps/base/paperclip/deployment.yaml +++ b/apps/base/paperclip/deployment.yaml @@ -58,9 +58,15 @@ spec: value: https://radosgw.service.consul - name: PAPERCLIP_STORAGE_S3_FORCE_PATH_STYLE value: "true" + - name: NODE_EXTRA_CA_CERTS + value: /etc/ssl/paperclip/ca.crt envFrom: - secretRef: name: paperclip-credentials + volumeMounts: + - name: vault-ca-cert + mountPath: /etc/ssl/paperclip + readOnly: true livenessProbe: httpGet: path: /api/health @@ -92,4 +98,11 @@ spec: requests: cpu: 250m memory: 512Mi + volumes: + - name: vault-ca-cert + secret: + secretName: vault-ca-cert + items: + - key: ca.crt + path: ca.crt restartPolicy: Always