From b4d69c8d7293554b18cd9e72e4e1eca8315796b7 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 3 May 2026 00:08:11 +1000 Subject: [PATCH] chore: mount vault CA cert for Node.js TLS trust in paperclip Mount the vault-ca-cert secret and set NODE_EXTRA_CA_CERTS so Node.js trusts the internal CA chain when making outbound TLS connections. --- apps/base/paperclip/deployment.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/apps/base/paperclip/deployment.yaml b/apps/base/paperclip/deployment.yaml index 39d0616..e6e88c4 100644 --- a/apps/base/paperclip/deployment.yaml +++ b/apps/base/paperclip/deployment.yaml @@ -58,9 +58,15 @@ spec: value: https://radosgw.service.consul - name: PAPERCLIP_STORAGE_S3_FORCE_PATH_STYLE value: "true" + - name: NODE_EXTRA_CA_CERTS + value: /etc/ssl/paperclip/ca.crt envFrom: - secretRef: name: paperclip-credentials + volumeMounts: + - name: vault-ca-cert + mountPath: /etc/ssl/paperclip + readOnly: true livenessProbe: httpGet: path: /api/health @@ -92,4 +98,11 @@ spec: requests: cpu: 250m memory: 512Mi + volumes: + - name: vault-ca-cert + secret: + secretName: vault-ca-cert + items: + - key: ca.crt + path: ca.crt restartPolicy: Always