From 77dc106c4021954363c465d136b0acd9bf852df8 Mon Sep 17 00:00:00 2001
From: Ashok Siyani <asiyani@users.noreply.github.com>
Date: Fri, 24 Jan 2025 11:32:57 +0000
Subject: [PATCH] support loading vault CA from remote endpoint (#310)

---
 README.md      | 12 ++++++++++++
 vault/vault.go | 23 ++++++++++++++++++++---
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 1a311d3..2919ea0 100644
--- a/README.md
+++ b/README.md
@@ -321,6 +321,18 @@ spec:
 
 ```
 
+### Vault CA Reload
+terraform-applier support hot reload of vault CA cert for secure communication.
+CA is updated before making vault API Calls. Following envs are supported.
+
+* `VAULT_CACERT`: value should be path to a PEM-encoded certificate file or bundle.
+  Takes precedence over CACertificate and CAPath.
+
+* `VAULT_CAPATH`: value should be path to a directory populated with PEM-encoded certificates.
+
+* `VAULT_CAURL`: value should be URL which returns a PEM-encoded certificate or bundle as body.
+   Takes precedence over CAPath.
+
 ## Monitoring
 
 ### Metrics
diff --git a/vault/vault.go b/vault/vault.go
index 7003735..7d00f4d 100644
--- a/vault/vault.go
+++ b/vault/vault.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"io"
+	"net/http"
 	"os"
 	"time"
 
@@ -31,6 +33,7 @@ func newClient() (*vaultapi.Client, error) {
 
 	var envCACert string
 	var envCAPath string
+	var envCACertBytes []byte
 
 	if v := os.Getenv(vaultapi.EnvVaultCACert); v != "" {
 		envCACert = v
@@ -40,11 +43,25 @@ func newClient() (*vaultapi.Client, error) {
 		envCAPath = v
 	}
 
+	if v := os.Getenv("VAULT_CAURL"); v != "" {
+		resp, err := http.Get(v)
+		if err != nil {
+			return nil, err
+		}
+		defer resp.Body.Close()
+
+		envCACertBytes, err = io.ReadAll(resp.Body)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// use custom cert if set
-	if envCACert != "" || envCAPath != "" {
+	if envCACert != "" || envCAPath != "" || len(envCACertBytes) != 0 {
 		err := vaultConfig.ConfigureTLS(&vaultapi.TLSConfig{
-			CACert: envCACert,
-			CAPath: envCAPath,
+			CACert:      envCACert,
+			CACertBytes: envCACertBytes,
+			CAPath:      envCAPath,
 		})
 		if err != nil {
 			return nil, err