feat: enable access to vault certificate

- puppet now automatically trusts vault certs for some clients
- ensure build job can access vault certs

.gitea/workflows/build.yaml

@@ -29,4 +29,5 @@ jobs:
         env:
           VAULT_ROLEID: ${{ secrets.TERRAFORM_INCUS_VAULT_ROLEID }}
         run: |
+          ls -lh /etc/pki/tls/vault
           make plan

.gitea/workflows/deploy.yaml

@@ -11,7 +11,7 @@ jobs:
     runs-on: almalinux-8
     container:
       image: git.unkin.net/unkin/almalinux9-actionsdind:latest
-      options: "--privileged --volume /etc/pki/tls/vault:/etc/pki/tls/vault:ro"
+      options: --privileged
 
     steps:
       - name: Checkout code

Makefile

@@ -21,16 +21,8 @@ define vault_env
 	mkdir -p $$INCUS_CONFIG_DIR/servercerts && \
 	printf '%s\n' "$$INCUS_CONF_INCUSIMAGES_CERT" > $$INCUS_CONFIG_DIR/servercerts/incus-images.crt && \
 	printf '%s\n' "$$INCUS_CONF_CONFIG_YAML" > $$INCUS_CONFIG_DIR/config.yaml && \
-	if [ -f /etc/pki/tls/vault/certificate.crt ] && [ -f /etc/pki/tls/vault/private.key ]; then \
+	printf '%s\n' "$$INCUS_CLIENT_CRT" > $$INCUS_CONFIG_DIR/client.crt && \
-		cp /etc/pki/tls/vault/certificate.crt $$INCUS_CONFIG_DIR/client.crt && \
+	printf '%s\n' "$$INCUS_CLIENT_KEY" > $$INCUS_CONFIG_DIR/client.key
-		cp /etc/pki/tls/vault/private.key $$INCUS_CONFIG_DIR/client.key; \
-	elif [ -f $$HOME/.config/incus/client.crt ] && [ -f $$HOME/.config/incus/client.key ]; then \
-		cp $$HOME/.config/incus/client.crt $$INCUS_CONFIG_DIR/client.crt && \
-		cp $$HOME/.config/incus/client.key $$INCUS_CONFIG_DIR/client.key; \
-	else \
-		printf '%s\n' "$$INCUS_CLIENT_CRT" > $$INCUS_CONFIG_DIR/client.crt && \
-		printf '%s\n' "$$INCUS_CLIENT_KEY" > $$INCUS_CONFIG_DIR/client.key; \
-	fi
 endef
 
 clean: