Introduction
When configuring the Vault GitHub Action, it is often necessary to configure a CA certificate within GitHub to ensure successful TLS communication with the Vault server. This process can be challenging, this article will provide a step-by-step guide to help with the setup.
Procedure
If new to the Vault GitHub Action, this tutorial is a great place to start and understand the basics of implementation. The GitHub Action is configured using YAML. An example usage of this configuration can be found below:
jobs: build: # ... steps: # ... - name: Import Secrets uses: hashicorp/vault-action@v2.4.0 with: url: https://vault.mycompany.com:8200 token: ${{ secrets.VAULT_TOKEN }} caCertificate: ${{ secrets.VAULT_CA_CERT }} secrets: | secret/data/ci/aws accessKey | AWS_ACCESS_KEY_ID ; secret/data/ci/aws secretKey | AWS_SECRET_ACCESS_KEY ; secret/data/ci npm_token
In the above example, the caCertificate input is being set to ${{ secrets.VAULT_CA_CERT }}. This correlates to a secret which can be configured in the GitHub repository called VAULT_CA_CERT. Refer to the GitHub input reference here to deterime what to set the VAULT_CA_CERT secret to. As per the input reference, the value of caCertificate should be: "Base64 encoded CA certificate the server certificate was signed with".
The CA certificate should be your entire CA chain. The CA chain represents the entire chain of trust associated with the certificate. This value cannot only be the root CA, but must have the entire chain. The chain should include certificates appended one after another. A certificate chain with 2 certificates would look like the following:
-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIUf/c3nJZIu6W4BliUlq2TjMWI4t4wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjIwNDA4MTgzMjU2WhcNMjcw
...
Pmoj/bfbJJOYmcjeMssK1XmbS86iDOIRoVB5TJSv3FBcNoYNdLSU4YoTaz2ogj5E
TyH+FVBIsocNqIyQOWOVTLEqeOkg5NKHXpN2dtE4/Z9qDFng
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIUaw1Ga+pFCTsF59oU+gI8p6l4pl4wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjIwNDA4MTgzMjUxWhcNMzIw
...
UGLIbJkkC4MJgUBKK5nRw0VOryNpknWVV18lpRIlo0Tf3TECrR8OkXGOFziJVuUK
c2nRMAlYi8TdqRsYWTac+smui70vqrZGGcgohFjPjWGmh5S5zDFZO5R1mEbgrp
aPQ3/XYN9vZd
-----END CERTIFICATE-----Once the certificate chain is in the correct order, in a file, it can be converted to the necessary base64 encoding. To achieve this, cat out the file and pipe it into the base64 utility to get a resultant base64 encoded certificate chain. The process looks like the following:
$ cat vault-ca.crt | base64
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzRENDQXBpZ0F3SUJBZ0lVZi9jM25KWkl1
Nlc0QmxpVWxxMlRqTVdJNHQ0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF4TUxa
WGhoYlhCc1pTNWpiMjB3SGhjTk1qSXdOREE0TVRnek1qVTJXaGNOTWpjdwpOREEzTVRnek16STJX
akF0TVNzd0tRWURWUVFERXlKbGVHRnRjR3hsTG1OdmJTQkpiblJsY20xbFpHbGhkR1VnClFYVjBh
Rzl5YVhSNU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBekh1dy81
N0YKVmhwK0t1M0VQamIweE1CK1VFS05TcTFLai95QWJRQXExaE15bU5rL1d2cUNjaWpHMlkzbmt3
Qk1SVks2WHgvRwpUN2x6aHgzTDRRMUdiNDRBMU1rUlpyTGJqVXM0MnVPd2tocXJCMXVzSDBVYy90
RU1rb2xRM21Ob0V1aXVQeGdsCjdwRWhHRDNvMnlZaXFER0JrN05sRzhNa2QrSnh6QnB3emUxLy9V
TXVZYnVBNTVRWUZPVm5INjlNVUVhVEJGaDUKa3RzYjl5Q21YZmpTeUxWNXp6VURFb21USWttQldB
bWF6WHVnbm9jUkx2VWR0bENBVmVVTXIwZWMzSXJ3ZjN4QQpUeG5IZlJPc0x3bG90anlmaVRKdHZJ
RVZ5a0tyV0xnSytrNkNKUkZidVJaQTlJYUZkRmliSG1sanAyOFV6SmswCkhxRk9INXhNTVpzWk93
SURBUUFCbzRIZU1JSGJNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEUKQlRBREFR
SC9NQjBHQTFVZERnUVdCQlJYRnB4RFFYdDV5MHVIVVZaeWdNbEF6ZmJRY1RBZkJnTlZIU01FR0RB
VwpnQlNGNDcwNTZ3Ym1yWjMrYXlFcERIMVpJaVpOenpCQUJnZ3JCZ0VGQlFjQkFRUTBNREl3TUFZ
SUt3WUJCUVVICk1BS0dKR2gwZEhBNkx5OHhNamN1TUM0d0xqRTZPREl3TUM5Mk1TOXdhMmxmY205
dmRDOWpZVEEyQmdOVkhSOEUKTHpBdE1DdWdLYUFuaGlWb2RIUndPaTh2TVRJM0xqQXVNQzR4T2pn
eU1EQXZkakV2Y0d0cFgzSnZiM1F2WTNKcwpNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFIQTh4
VUt6azMxdm10TUlpcGwxaTlQbUpMc1RkTGNmbnJ6RUJnCldONkMvb3BibjNJTDBIYU5sQU1WTjV4
VTlTWXlDMUxBa0FaUjBPTFZRblV6TXc5RlM0b2Nyc1hyRFRpZUNkcnoKdVlKR2E3a0FEaWNRSFcx
MzJiOW4vWXB4QkZuTnRCM0FXZmVhbjV3NUxVcXp1Qmw1VXFQQXY3bjUyejF2K2xoYQpTL1RpbjRS
czQxeXBIRmdKL2dmTWFYRDJOd3hGUlZaVkVLTTdiTkVQTFhuVUIzdmJlaVVZVVRnOVVvdjBVN05U
ClBtb2ovYmZiSkpPWW1jamVNc3NLMVhtYlM4NmlET0lSb1ZCNVRKU3YzRkJjTm9ZTmRMU1U0WW9U
YXoyb2dqNUUKVHlIK0ZWQklzb2NOcUl5UU9XT1ZUTEVxZU9rZzVOS0hYcE4yZHRFNC9aOXFERm5n
Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1J
SUROVENDQWgyZ0F3SUJBZ0lVYXcx2ErcEZDVHNGNTlvVStnSThwNmw0cGw0d0RRWUpLb1pJaHZj
TkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF4TUxaWGhoYlhCc1pTNWpiMjB3SGhjTk1qSXdOREE0TVRn
ek1qVXhXaGNOTXpJdwpOREExTVRnek16SXhXakFXTVJRd0VnWURWUVFERXd0bGVHRnRjR3hsTG1O
dmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNYk8rYzVjNTkr
cUExeFFSU2ZHWlBGODN2SzRjYjBFWpRQXJrWGcKTWRDWWU5WU5meWM0L2VjcWpHRnNEVzZ0VHJx
am1TSnNhNmpKbWgyMHFVa1BZWHlTMDFNbE9zeVBMdDlrS0JnVQpzaG5sS0FJMGpKVjBpd29JbGRT
LzNBNHdYUWdlRHdMckViMkFYSGRPNnFsRlBablVCOEl4cXVWcUYwdDBTMnc4CnZQRzNZdU8ybUU3
MFY4SjlZcU1ZQTFMaU51ZUxHbTJWUlpObktFNGpVR3FNRGhscnlZZWhnSldhZ3ZPMGp1UWYKWS9I
M0x0bTNnK2FZcVZJTVMzdHAraWlqdGcyWGZFam9HZGpkNW9OYm1PNzdSUW9ub21XSW5EcjJhMnpM
SWV4aApmR25Eby9WcG9tZkpnT0xXbXJwTUV3ZWF1aTQySGpURmJjVFFPMndldUdJbnB3VUNBd0VB
QWFON01Ia3dEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlE
VlIwT0JCWUVGSVhqdlRuckJ1YXQKbmY1cklTa01mVmtpSmszUE1COEdBMVVkSXdRWU1CYUFGSVhq
dlRuckJ1YXRuZjVySVNrTWZWa2lKazNQTUJZRwpBMVVkRVFRUE1BMkNDMlY0WVcxd2JHVXVZMjl0
TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDbWRGODU1ZzhUClcydm5lS1dtbVhEMkxLTUZGYUdy
Njd5U05NVXM1KzZmQlNPQnBxQXpXUjgvMVpFc3BacVQxbVRmbElKSWJYeHYKWmU5RTZmanRZWGJk
U1V1NzBFVWM1SkYvMjVQeWZXd2NiQnZONGYrZitiUHdlYVJpVmFhck9wOU80cERzWkhEWQpZdnox
Y3BPbXNwcURaWjNiZ21wNzdHNncvMEUxMzJrOGNRckVtSFZCbURjK09lQWM0OWN3cVRJY3BJaVlK
aVZRClVHTEliSmtrQzRNSmdVQktLNW5SdzBWT3J5TnBrbldWVjE4bHBSSWxvMFRmM1RFQ3JSOE9r
WEdPRnppSlZ1VUsKYzJuUk11QWxZaThUZHFSc1lXVGFjK3NtdWk3MHZxclpHR2Nnb2hGalBqV0dt
aDVTNXpERlpPNVIxbUVoYmdycAphUFEzL1hZTjl2WmQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0t
LQo=This base64 string can be used as your VAULT_CA_CERT GitHub secret. The YAML template will reference this secret and assign its value to the caCertificate input.