Add comments about optional base64 encoding

hashicorp · Aug 15, 2023 · d50e787 · d50e787
1 parent 0584c89
commit d50e787
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/subcommand/injector/flags.go b/subcommand/injector/flags.go
@@ -61,7 +61,9 @@ type Specification struct {
 	VaultAddr string `split_words:"true"`
 
 	// VaultCACertBytes is the AGENT_INJECT_VAULT_CACERT_BYTES environment variable.
-	// Specifies the CA cert to trust for TLS with Vault.
+	// Specifies the CA cert to trust for TLS with Vault as a PEM-encoded
+	// certificate or bundle. The multi-line PEM contents may optionally be base64
+	// encoded to avoid line breaks.
 	VaultCACertBytes string `envconfig:"AGENT_INJECT_VAULT_CACERT_BYTES"`
 
 	// ProxyAddr is the AGENT_INJECT_PROXY_ADDR environment variable.
@@ -164,7 +166,8 @@ func (c *Command) init() {
 	c.flagSet.StringVar(&c.flagVaultService, "vault-address", "",
 		"Address of the Vault server.")
 	c.flagSet.StringVar(&c.flagVaultCACertBytes, "vault-cacert-bytes", "",
-		"CA certificate to trust for TLS with Vault, specified as a PEM-encoded certificate or bundle.")
+		"CA certificate to trust for TLS with Vault, specified as a PEM-encoded certificate or bundle. "+
+			"The multi-line PEM contents may optionally be base64 encoded to avoid line breaks.")
 	c.flagSet.StringVar(&c.flagProxyAddress, "proxy-address", "",
 		"HTTP proxy address used to talk to the Vault service.")
 	c.flagSet.StringVar(&c.flagVaultAuthType, "vault-auth-type", agent.DefaultVaultAuthType,