Deploy X.509 Certificates with Reis (YAML Mode)

X.509 certificates can be declared in your bahriya.yml file under the vaults section and applied with reis apply.

YAML structure

vaults:
  x509_certs:
    signing-cert:
      name: Signing Certificate
      cert: "{{ file:./certs/signing.crt }}"

The {{ file:./path }} helper reads the file content at apply time, so you can keep your PEM files separate from the YAML declaration.

Attaching to a project

projects:
  production:
    attachments:
      vaults:
        x509_certs: [signing-cert]

Wiring to a container

Once attached to a project, reference the certificate in a container definition:

containers:
  api:
    project: production
    image: ghcr.io/myorg/api:latest
    vaults:
      x509_certs:
        - handle: signing-cert
          mountpath: /etc/certs

The certificate file is mounted as cert.pem under the specified mount path.

Rotation

To rotate, update the PEM file on disk and run reis apply again. A new version is created and marked current. Previous versions are retained for rollback.

See also

• X.509 Certificates with Terraform
• X.509 Certificates with Reis (Flag Mode)