feat(secrets-vault): add mTLS support for HashiCorp Vault

[ITBear]

The secrets-vault library currently creates a plain reqwest::Client::new() when connecting to HashiCorp Vault. This fails when Vault is behind an ingress that requires mutual TLS (mTLS) client certificate authentication.

This PR adds support for the standard HashiCorp Vault TLS environment variables:

VAULT_CACERT — path to a custom CA certificate (PEM)
VAULT_CLIENT_CERT — path to a client certificate (PEM)
VAULT_CLIENT_KEY — path to a client private key (PEM)
When these variables are set, the HTTP client is built with the corresponding TLS configuration. When they are not set, the client behaves exactly as before (no breaking change).

original PR: #142

[Copilot]

Pull request overview

This PR adds optional mutual TLS (mTLS) support to the secrets-vault HashiCorp Vault client by building a configured reqwest::Client based on standard Vault TLS environment variables, while keeping the default behavior unchanged when the variables are unset.

Changes:

• Replace reqwest::Client::new() with a custom client builder that optionally loads VAULT_CACERT, VAULT_CLIENT_CERT, and VAULT_CLIENT_KEY.
• Add a helper to construct a reqwest client with optional root CA and client identity.
• Enable reqwest’s rustls-tls feature in secrets-vault to support PEM-based client identities.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/secrets-vault/src/storage/hashicorp_api.rs	Builds the Vault HTTP client via a new helper that conditionally enables custom CA and client cert/key (mTLS).
src/secrets-vault/Cargo.toml	Enables reqwest rustls support needed for PEM-based client identity loading.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.