GeneralBots/botserver
2
1
Fork 0
Code Issues Pull requests Projects Releases 323 Packages Wiki Activity Actions

Fix Vault CLI mTLS issue - unset client cert env vars before CLI commands

Browse source
This commit is contained in:
Rodrigo Rodriguez (Pragmatismo) 2025-12-08 09:14:31 -03:00
parent f7ccc95e60
commit 89ff716bef
2 changed files with 17 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
config/directory_config.json
View file

@ -1,7 +1,7 @@
{ {
"base_url": "http://localhost:8080", "base_url": "http://localhost:8080",
"default_org": { "default_org": {
"id": "350084341642035214", "id": "350139980594544654",
"name": "default", "name": "default",
"domain": "default.localhost" "domain": "default.localhost"
}, },
@ -13,8 +13,8 @@
"first_name": "Admin", "first_name": "Admin",
"last_name": "User" "last_name": "User"
}, },
"admin_token": "6ToEETpAOVIPWXcuF9IclFdb4uGR0pDZvsA02rTVTUkhthzbH3MYjkJQB7OnNMHAQIFlreU", "admin_token": "WFe8gHNf6oPO6B9S1sPlRyIgrAz1hsrao4k1NwuGOXb0GyGb4U2ZKysQb4jab0YLDMQKZ4o",
"project_id": "", "project_id": "",
"client_id": "350084343638589454", "client_id": "350139982339440654",
"client_secret": "7rAHHUIiv04O3itDpnHbetUpH3JzG4TLP6zuL07x6TaPiUzTq1Ut3II1le8plTeG" "client_secret": "iQ3yc8eQpjJtttpOvzZs2pcUp2tkRwnhqvzC13dbj2tKGrfaeksjRg5wMFO0pAKP"
} }

25
src/core/bootstrap/mod.rs
View file

@ -1101,10 +1101,11 @@ meet IN A 127.0.0.1
} else { } else {
// Initialize Vault if not already done // Initialize Vault if not already done
info!("Initializing Vault..."); info!("Initializing Vault...");
// Clear any mTLS env vars that might interfere with CLI
let init_output = std::process::Command::new("sh") let init_output = std::process::Command::new("sh")
.arg("-c") .arg("-c")
.arg(format!( .arg(format!(
"VAULT_ADDR={} ./botserver-stack/bin/vault/vault operator init -key-shares=1 -key-threshold=1 -format=json", "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} ./botserver-stack/bin/vault/vault operator init -key-shares=1 -key-threshold=1 -format=json",
vault_addr vault_addr
)) ))
.output()?; .output()?;
@ -1140,10 +1141,11 @@ meet IN A 127.0.0.1
// Unseal Vault // Unseal Vault
info!("Unsealing Vault..."); info!("Unsealing Vault...");
// Clear any mTLS env vars that might interfere with CLI
let unseal_output = std::process::Command::new("sh") let unseal_output = std::process::Command::new("sh")
.arg("-c") .arg("-c")
.arg(format!( .arg(format!(
"VAULT_ADDR={} ./botserver-stack/bin/vault/vault operator unseal {}", "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} ./botserver-stack/bin/vault/vault operator unseal {}",
vault_addr, unseal_key vault_addr, unseal_key
)) ))
.output()?; .output()?;
@ -1163,7 +1165,7 @@ meet IN A 127.0.0.1
let _ = std::process::Command::new("sh") let _ = std::process::Command::new("sh")
.arg("-c") .arg("-c")
.arg(format!( .arg(format!(
"VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault secrets enable -path=secret kv-v2 2>&1 || true", "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault secrets enable -path=secret kv-v2 2>&1 || true",
vault_addr, root_token vault_addr, root_token
)) ))
.output(); .output();
@ -1175,7 +1177,7 @@ meet IN A 127.0.0.1
let _ = std::process::Command::new("sh") let _ = std::process::Command::new("sh")
.arg("-c") .arg("-c")
.arg(format!( .arg(format!(
"VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/tables host=localhost port=5432 database=botserver username=gbuser password='{}'", "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/tables host=localhost port=5432 database=botserver username=gbuser password='{}'",
vault_addr, root_token, db_password vault_addr, root_token, db_password
)) ))
.output()?; .output()?;
@ -1185,7 +1187,7 @@ meet IN A 127.0.0.1
let _ = std::process::Command::new("sh") let _ = std::process::Command::new("sh")
.arg("-c") .arg("-c")
.arg(format!( .arg(format!(
"VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/drive accesskey='{}' secret='{}'", "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/drive accesskey='{}' secret='{}'",
vault_addr, root_token, drive_accesskey, drive_secret vault_addr, root_token, drive_accesskey, drive_secret
)) ))
.output()?; .output()?;
@ -1195,7 +1197,7 @@ meet IN A 127.0.0.1
let _ = std::process::Command::new("sh") let _ = std::process::Command::new("sh")
.arg("-c") .arg("-c")
.arg(format!( .arg(format!(
"VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/cache password='{}'", "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/cache password='{}'",
vault_addr, root_token, cache_password vault_addr, root_token, cache_password
)) ))
.output()?; .output()?;
@ -1205,7 +1207,7 @@ meet IN A 127.0.0.1
let _ = std::process::Command::new("sh") let _ = std::process::Command::new("sh")
.arg("-c") .arg("-c")
.arg(format!( .arg(format!(
"VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/directory url=https://localhost:8080 project_id= client_id= client_secret=", "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/directory url=https://localhost:8080 project_id= client_id= client_secret=",
vault_addr, root_token vault_addr, root_token
)) ))
.output()?; .output()?;
@ -1215,7 +1217,7 @@ meet IN A 127.0.0.1
let _ = std::process::Command::new("sh") let _ = std::process::Command::new("sh")
.arg("-c") .arg("-c")
.arg(format!( .arg(format!(
"VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/llm openai_key= anthropic_key= groq_key=", "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/llm openai_key= anthropic_key= groq_key=",
vault_addr, root_token vault_addr, root_token
)) ))
.output()?; .output()?;
@ -1225,7 +1227,7 @@ meet IN A 127.0.0.1
let _ = std::process::Command::new("sh") let _ = std::process::Command::new("sh")
.arg("-c") .arg("-c")
.arg(format!( .arg(format!(
"VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/email username= password=", "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/email username= password=",
vault_addr, root_token vault_addr, root_token
)) ))
.output()?; .output()?;
@ -1236,7 +1238,7 @@ meet IN A 127.0.0.1
let _ = std::process::Command::new("sh") let _ = std::process::Command::new("sh")
.arg("-c") .arg("-c")
.arg(format!( .arg(format!(
"VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/encryption master_key='{}'", "unset VAULT_CLIENT_CERT VAULT_CLIENT_KEY VAULT_CACERT; VAULT_ADDR={} VAULT_TOKEN={} ./botserver-stack/bin/vault/vault kv put secret/gbo/encryption master_key='{}'",
vault_addr, root_token, encryption_key vault_addr, root_token, encryption_key
)) ))
.output()?; .output()?;
@ -1261,8 +1263,7 @@ VAULT_ADDR={}
VAULT_TOKEN={} VAULT_TOKEN={}
# Vault uses HTTP for local development (TLS disabled in config.hcl) # Vault uses HTTP for local development (TLS disabled in config.hcl)
# In production, enable TLS and set proper certificates # In production, enable TLS and set VAULT_CACERT, VAULT_CLIENT_CERT, VAULT_CLIENT_KEY
VAULT_CLIENT_KEY=./botserver-stack/conf/system/certificates/botserver/client.key
# Cache TTL for secrets (seconds) # Cache TTL for secrets (seconds)
VAULT_CACHE_TTL=300 VAULT_CACHE_TTL=300