Hashicorp feature tmkms

[mkaczanowski]

TL;DR

This is a rebased version of https://github.com/iqlusioninc/tmkms/pull/613 with some changes:

1. integration tests works now
2. VAULT_CACERT and VAULT_SKIP_VERFIY are now configurable
3. config changed slightly

Test plan

I've tested this live and also via unittests and integration test:

$ ./tests/support/start_vault.sh

$ cargo test --features hashicorp,softsign
...
test result: ok. 12 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.20s

[mkaczanowski]

Huh, there is no fix for: https://rustsec.org/advisories/RUSTSEC-2023-0071 yet

(but it is optional dependency anyway)

EDIT: I need to fix the CI tests (integration test requires running vault)

[mkaczanowski]

@tony-iqlusion it's ready for review :pray:

[helder-moreira]

@mkaczanowski may I ask if you considered vault disconnection issues? Will it reconnect? I noticed that even if I have multiple vault instances, when I restart one of them, tmkms wont try to connect to another. But this is an old version in my fork, maybe its addressed already.

[mkaczanowski]

I was unable to reproduce the connection issues

[helder-moreira]

@tony-iqlusion any ETA on merging this?

[tony-iqlusion]

I should have some time to review it soon. Please be patient.

[tony-iqlusion]

Note: I would still like to get this into the v0.14 release but my time on TMKMS has been taken up by vote extension signing support. I hope to be able to review it soon when other TMKMS-related work is done.

[helder-moreira]

@mkaczanowski I am currently testing this PR, and it seems that CA certificate does not work:

Message:  Unable to connect to Vault at https://vault.vault.svc.cluster.local:8200
Location: src/commands/hashicorp/upload.rs:145

Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.

Works fine if I set vault_skip_verify = true. Can you double check this?