Module: Legion::Transport::Connection::Vault

Includes:
Logging::Helper
Included in:
Legion::Transport::Connection
Defined in:
lib/legion/transport/connection/vault.rb

Instance Method Summary collapse

Instance Method Details

#vault_pki_enabled?Boolean

Returns:

  • (Boolean) 


34
35
36
37
38
39
40
41
42
 
# File 'lib/legion/transport/connection/vault.rb', line 34

def vault_pki_enabled?
  tls = transport_tls_settings
  return false unless tls.is_a?(Hash)

  tls[:vault_pki] || tls['vault_pki'] || false
rescue StandardError => e
  handle_exception(e, level: :warn, handled: true, operation: 'transport.connection.vault_pki_enabled')
  false
end

#vault_pki_tls_optionsObject

Provides Vault PKI-based cert issuance for Bunny mTLS connections. Activated when ‘transport.tls.vault_pki: true` AND `Legion::Crypt::Mtls.enabled?`. Bunny requires file paths for TLS material, so we write to tempfiles (auto-deleted by the OS when the process exits — or call cleanup_pki_tempfiles explicitly).



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
# File 'lib/legion/transport/connection/vault.rb', line 17

def vault_pki_tls_options
  return {} unless vault_pki_enabled?
  return {} unless defined?(Legion::Crypt::Mtls)
  return {} unless Legion::Crypt::Mtls.enabled?

  node_name = pki_node_name
  cert_data = Legion::Crypt::Mtls.issue_cert(common_name: node_name)
  Legion::Transport.logger.info(
    "[mTLS] Issued PKI cert for #{node_name}: serial=#{cert_data[:serial]} expiry=#{cert_data[:expiry]}"
  )

  build_bunny_tls_opts(cert_data)
rescue StandardError => e
  handle_exception(e, level: :warn, handled: true, operation: 'transport.connection.vault_pki_tls_options')
  {}
end