From a1ad354bde1502d9d59893c4685d0413665cd09a Mon Sep 17 00:00:00 2001 From: Srikrishna Iyer Date: Wed, 6 May 2026 20:52:19 +0530 Subject: [PATCH] give vault user permission to read certs --- docker-compose.yml | 7 ++++++- scripts/gen-tls-certs.sh | 3 +++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index cc65c4a..3494d87 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -45,7 +45,12 @@ services: - 8200:8200 privileged: true healthcheck: - test: ["CMD-SHELL", "VAULT_ADDR=https://127.0.0.1:8200 VAULT_CACERT=/etc/vault/ca.crt VAULT_CLIENT_CERT=/etc/vault/client.crt VAULT_CLIENT_KEY=/etc/vault/client.key vault status; s=$$?; [ $$s -eq 0 ]"] + # Exit 2 means sealed-but-running, which is acceptable during startup + test: + - CMD-SHELL + - | + export VAULT_ADDR=https://127.0.0.1:8200 VAULT_CACERT=/etc/vault/ca.crt VAULT_CLIENT_CERT=/etc/vault/client.crt VAULT_CLIENT_KEY=/etc/vault/client.key + vault status; s=$$?; [ $$s -eq 0 ] || [ $$s -eq 2 ] interval: 1s timeout: 5s retries: 30 diff --git a/scripts/gen-tls-certs.sh b/scripts/gen-tls-certs.sh index 20e753b..6172f13 100755 --- a/scripts/gen-tls-certs.sh +++ b/scripts/gen-tls-certs.sh @@ -89,6 +89,9 @@ mv client-key.pem client.key # ── Remove intermediates not needed at runtime ──────────────────────────────── rm -f ca.csr server.csr client.csr ca-key.pem cfssl-config.json +# Ensure files are readable by the vault container user +chmod 644 ./*.crt ./*.key + # ── Copy vault server config ────────────────────────────────────────────────── cp "$REPO_ROOT/integrationTests/e2e-tls/configs/config.hcl" config.hcl