feat: enable access to vault certificate

- puppet now automatically trusts vault certs for some clients - ensure build job can access vault certs, or use client.* in .config/incus
2025-10-17 17:17:42 +11:00 · 2025-10-17 17:17:42 +11:00 · 5e090e9de5
commit 5e090e9de5
parent cd9b965016
3 changed files with 12 additions and 4 deletions
--- a/.gitea/workflows/build.yaml
+++ b/.gitea/workflows/build.yaml
@ -9,7 +9,7 @@ jobs:
    runs-on: almalinux-8
    container:
      image: git.unkin.net/unkin/almalinux9-actionsdind:latest
-      options: --privileged
+      options: "--privileged --volume /etc/pki/tls/vault:/etc/pki/tls/vault:ro"
    steps:
      - name: Checkout code
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@ -11,7 +11,7 @@ jobs:
    runs-on: almalinux-8
    container:
      image: git.unkin.net/unkin/almalinux9-actionsdind:latest
-      options: --privileged
+      options: "--privileged --volume /etc/pki/tls/vault:/etc/pki/tls/vault:ro"
    steps:
      - name: Checkout code
--- a/10
+++ b/10
@ -21,8 +21,16 @@ define vault_env
 	mkdir -p $$INCUS_CONFIG_DIR/servercerts && \
 	printf '%s\n' "$$INCUS_CONF_INCUSIMAGES_CERT" > $$INCUS_CONFIG_DIR/servercerts/incus-images.crt && \
 	printf '%s\n' "$$INCUS_CONF_CONFIG_YAML" > $$INCUS_CONFIG_DIR/config.yaml && \
 	if [ -f /etc/pki/tls/vault/certificate.crt ] && [ -f /etc/pki/tls/vault/private.key ]; then \
 		cp /etc/pki/tls/vault/certificate.crt $$INCUS_CONFIG_DIR/client.crt && \
 		cp /etc/pki/tls/vault/private.key $$INCUS_CONFIG_DIR/client.key; \
 	elif [ -f $$HOME/.config/incus/client.crt ] && [ -f $$HOME/.config/incus/client.key ]; then \
 		cp $$HOME/.config/incus/client.crt $$INCUS_CONFIG_DIR/client.crt && \
 		cp $$HOME/.config/incus/client.key $$INCUS_CONFIG_DIR/client.key; \
 	else \
 		printf '%s\n' "$$INCUS_CLIENT_CRT" > $$INCUS_CONFIG_DIR/client.crt && \
-	printf '%s\n' "$$INCUS_CLIENT_KEY" > $$INCUS_CONFIG_DIR/client.key
+		printf '%s\n' "$$INCUS_CLIENT_KEY" > $$INCUS_CONFIG_DIR/client.key; \
 	fi
 endef
 clean: