Deploy TLS Bundles with Reis (YAML Mode)

TLS bundles can be declared in your bahriya.yml file under the vaults section and applied with reis apply.

YAML structure

vaults:
  tls_bundles:
    api-cert:
      name: API Public Certificate
      ca:   "{{ file:./certs/ca.crt }}"
      cert: "{{ file:./certs/api.crt }}"
      key:  "{{ file:./certs/api.key }}"

The {{ file:./path }} helper reads the file content at apply time, so you can keep your PEM files separate from the YAML declaration.

Attaching to a project

projects:
  production:
    attachments:
      vaults:
        tls_bundles: [api-cert]

Wiring to a container

Once attached to a project, reference the bundle in a container definition:

containers:
  api:
    project: production
    image: ghcr.io/myorg/api:latest
    vaults:
      tls_bundles:
        - handle: api-cert
          mountpath: /etc/tls

The certificate files are mounted as ca.crt, tls.crt, and tls.key under the specified mount path.

Rotation

To rotate, update the PEM files on disk and run reis apply again. A new version is created and marked current. Previous versions are retained for rollback.

See also

• TLS Bundles with Terraform
• TLS Bundles with Reis (Flag Mode)