feat: Support TLS for Vault gRPC connection (client-side) #24
Description
Background
Server-side TLS for the Vault gRPC server was implemented in rune-admin #17 (PR #25).
The server now enforces TLS by default and rejects plaintext connections unless VAULT_TLS_DISABLE=true is explicitly set.
Currently, the client (mcp/adapter/vault_client.py) only uses grpc.aio.insecure_channel(), which means it cannot connect to a TLS-enabled Vault server.
Tasks
1. TLS channel support in vault_client.py
- File:
mcp/adapter/vault_client.py(L135-145_ensure_channel) - When CA cert is specified →
grpc.aio.secure_channel()+ssl_channel_credentials(root_certificates=ca_pem) - When CA cert is not specified →
secure_channel()with system default CA (for publicly-signed certificates) - When
VAULT_TLS_DISABLE=true→ keep existinginsecure_channel()(dev only) - Environment variable:
VAULT_CA_CERT(path to CA certificate file)
2. CA certificate setup in install.sh
- File:
scripts/install.sh - Add a step to copy
ca.pemto~/.rune/certs/ca.pemwhen using self-signed CA - Support setting
vault.ca_certpath in config.json - Enable easy CA cert registration for team onboarding (admin shares CA cert)
3. Extend config.json schema
vault.ca_cert: CA certificate file path (optional)vault.tls_disable: TLS disable flag (optional, default: false)
4. TLS support for health check
- File:
vault_client.py(L257-292) - Ensure health check uses the same TLS channel as regular connections
Channel Selection Logic
if VAULT_TLS_DISABLE == "true":
→ insecure_channel (dev only)
elif VAULT_CA_CERT or vault.ca_cert configured:
→ secure_channel with custom CA (for self-signed certs)
else:
→ secure_channel with system CA (for publicly-signed certs)
Related
- Enforce TLS for Vault gRPC with developer-friendly certificate setup rune-admin#17: Enforce TLS for Vault gRPC (server-side) ✅
- feat: enforce TLS for Vault gRPC rune-admin#25: PR for server-side TLS