Problem
Vault gRPC server currently uses plaintext communication (add_insecure_port / insecure_channel). Authentication tokens are transmitted unencrypted over the network, making them vulnerable to interception.
Current state
- Server:
server.add_insecure_port() in mcp/vault/vault_grpc_server.py:180
- Client:
grpc.aio.insecure_channel() in rune/mcp/adapter/vault_client.py:138
- Tokens sent in every gRPC request as plaintext fields
- Documentation claims TLS but it is not implemented
Requirements
Code changes
Developer-friendly deployment
Affected files
rune-admin/mcp/vault/vault_grpc_server.pyrune/mcp/adapter/vault_client.pyrune-admin/mcp/vault/.env.examplerune-admin/mcp/vault/docker-compose.ymlrune-admin/mcp/vault/vault-deployment.ymlrune-admin/mcp/vault/README.md
Priority
Critical — This is the highest priority security gap. Without TLS, all other auth mechanisms (tokens, per-user permissions) are moot since credentials are exposed in transit.
Problem
Vault gRPC server currently uses plaintext communication (
add_insecure_port/insecure_channel). Authentication tokens are transmitted unencrypted over the network, making them vulnerable to interception.Current state
server.add_insecure_port()inmcp/vault/vault_grpc_server.py:180grpc.aio.insecure_channel()inrune/mcp/adapter/vault_client.py:138Requirements
Code changes
vault_grpc_server.py:add_insecure_port→add_secure_portwithssl_server_credentialsvault_client.py:insecure_channel→secure_channelwithssl_channel_credentialsVAULT_TLS_CERT,VAULT_TLS_KEY,VAULT_CA_CERT)VAULT_TLS_DISABLE=trueis explicitly set (dev-only escape hatch)Developer-friendly deployment
generate-certs.shscript that generates self-signed CA + server cert with one command.env.examplewith TLS-related variablesdocker-compose.ymlto mount cert volumesvault-deployment.ymlwith TLS secret mountsvault/README.mdAffected files
rune-admin/mcp/vault/vault_grpc_server.pyrune/mcp/adapter/vault_client.pyrune-admin/mcp/vault/.env.examplerune-admin/mcp/vault/docker-compose.ymlrune-admin/mcp/vault/vault-deployment.ymlrune-admin/mcp/vault/README.mdPriority
Critical — This is the highest priority security gap. Without TLS, all other auth mechanisms (tokens, per-user permissions) are moot since credentials are exposed in transit.