seperate master keys too

Author: Flo4604

deployment/docker-compose.yaml

@@ -280,6 +280,7 @@ services:
       UNKEY_VAULT_S3_ACCESS_KEY_SECRET: "minio_root_password"
       UNKEY_VAULT_MASTER_KEYS: "Ch9rZWtfMmdqMFBJdVhac1NSa0ZhNE5mOWlLSnBHenFPENTt7an5MRogENt9Si6wms4pQ2XIvqNSIgNpaBenJmXgcInhu6Nfv2U="
       # ACME Vault - Let's Encrypt certificates
+      UNKEY_ACME_VAULT_MASTER_KEYS: "Ch9rZWtfMmdqMFBJdVhac1NSa0ZhNE5mOWlLSnBHenFPENTt7an5MRogENt9Si6wms4pQ2XIvqNSIgNpaBenJmXgcInhu6Nfv2U="
       UNKEY_ACME_VAULT_S3_URL: "http://s3:3902"
       UNKEY_ACME_VAULT_S3_BUCKET: "acme-vault"
       UNKEY_ACME_VAULT_S3_ACCESS_KEY_ID: "minio_root_user"

go/apps/ctrl/config.go

@@ -125,10 +125,12 @@ type Config struct {
 	Clock clock.Clock
 
 	// --- Vault Configuration ---
-	// VaultMasterKeys are the master encryption keys for both vaults
+	// VaultMasterKeys are the master encryption keys for the general vault
 	VaultMasterKeys []string
 	// VaultS3 is used for general secrets (env vars, API keys, etc.)
 	VaultS3 S3Config
+	// AcmeVaultMasterKeys are the master encryption keys for the ACME vault
+	AcmeVaultMasterKeys []string
 	// AcmeVaultS3 is used specifically for ACME/Let's Encrypt certificate storage
 	AcmeVaultS3 S3Config
 

go/apps/ctrl/run.go

@@ -109,7 +109,7 @@ func Run(ctx context.Context, cfg Config) error {
 
 	// Create separate vault service for ACME certificates
 	var acmeVaultSvc *vault.Service
-	if len(cfg.VaultMasterKeys) > 0 && cfg.AcmeVaultS3.URL != "" {
+	if len(cfg.AcmeVaultMasterKeys) > 0 && cfg.AcmeVaultS3.URL != "" {
 		acmeVaultStorage, acmeStorageErr := storage.NewS3(storage.S3Config{
 			Logger:            logger,
 			S3URL:             cfg.AcmeVaultS3.URL,
@@ -124,7 +124,7 @@ func Run(ctx context.Context, cfg Config) error {
 		acmeVaultSvc, err = vault.New(vault.Config{
 			Logger:     logger,
 			Storage:    acmeVaultStorage,
-			MasterKeys: cfg.VaultMasterKeys,
+			MasterKeys: cfg.AcmeVaultMasterKeys,
 		})
 		if err != nil {
 			return fmt.Errorf("unable to create ACME vault service: %w", err)

go/cmd/ctrl/main.go

@@ -61,7 +61,7 @@ var Cmd = &cli.Command{
 			cli.Default("/var/lib/spire/agent/agent.sock"), cli.EnvVar("UNKEY_SPIFFE_SOCKET_PATH")),
 
 		// Vault Configuration - General secrets (env vars, API keys)
-		cli.StringSlice("vault-master-keys", "Vault master keys for encryption (shared by both vaults)",
+		cli.StringSlice("vault-master-keys", "Vault master keys for encryption (general vault)",
 			cli.Required(), cli.EnvVar("UNKEY_VAULT_MASTER_KEYS")),
 		cli.String("vault-s3-url", "S3 endpoint URL for general vault",
 			cli.EnvVar("UNKEY_VAULT_S3_URL")),
@@ -73,6 +73,8 @@ var Cmd = &cli.Command{
 			cli.EnvVar("UNKEY_VAULT_S3_ACCESS_KEY_SECRET")),
 
 		// ACME Vault Configuration - Let's Encrypt certificates
+		cli.StringSlice("acme-vault-master-keys", "Vault master keys for encryption (ACME vault)",
+			cli.EnvVar("UNKEY_ACME_VAULT_MASTER_KEYS")),
 		cli.String("acme-vault-s3-url", "S3 endpoint URL for ACME vault",
 			cli.EnvVar("UNKEY_ACME_VAULT_S3_URL")),
 		cli.String("acme-vault-s3-bucket", "S3 bucket for ACME vault (Let's Encrypt certs)",
@@ -186,6 +188,7 @@ func action(ctx context.Context, cmd *cli.Command) error {
 			AccessKeySecret: cmd.String("vault-s3-access-key-secret"),
 		},
 		// ACME Vault configuration - Let's Encrypt certificates
+		AcmeVaultMasterKeys: cmd.StringSlice("acme-vault-master-keys"),
 		AcmeVaultS3: ctrl.S3Config{
 			URL:             cmd.String("acme-vault-s3-url"),
 			Bucket:          cmd.String("acme-vault-s3-bucket"),

go/k8s/manifests/ctrl.yaml

@@ -70,6 +70,8 @@ spec:
             - name: UNKEY_VAULT_S3_ACCESS_KEY_SECRET
               value: "minio_root_password"
             # ACME Vault Configuration - Let's Encrypt certificates
+            - name: UNKEY_ACME_VAULT_MASTER_KEYS
+              value: "Ch9rZWtfMmdqMFBJdVhac1NSa0ZhNE5mOWlLSnBHenFPENTt7an5MRogENt9Si6wms4pQ2XIvqNSIgNpaBenJmXgcInhu6Nfv2U="
             - name: UNKEY_ACME_VAULT_S3_URL
               value: "http://s3:3902"
             - name: UNKEY_ACME_VAULT_S3_BUCKET