Details
-
Task
-
Status: Open
-
Normal
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
-
Needs Assessment
Description
When running in puppet/puppetserver 7, the vault module should call the new HTTP API to communicate with Vault.
Current Behavior
Desired Behavior
If Puppet::PUPPET_VERSION.to_f >= 6.16 then have vault call the new API as follows (some error handling omitted):
client = Puppet.runtime[:http] |
connection = client.connect(include_system_store: true) |
# get auth token
|
response = connection.post('/v1/auth/cert/login', ''. headers: { 'Content-Type' => 'text/plain', 'Accept' => 'application/json' }) |
if response.success? |
token = JSON.parse(response.body)['auth']['client_token'] |
else
|
raise ... |
end
|
|
# get secret
|
secret_response = connection.get("/v1/#{path}", headers: {'X-Vault-Token' => token, 'Accept' => 'application/json'}) |
if secret_response.success? |
data = JSON.parse(secret_response.body)['data'] |
else
|
raise ... |
end |
Note the new HTTP client will raise different classes of errors so that you don't need to handle all of the different ruby exceptions (which vary across Ruby implementation and versions), for example:
rescue Puppet::HTTP::ResponseError => e |
puts "HTTP #{e.response.code} #{e.response.reason}" |
rescue Puppet::HTTP::ConnectionError => e |
puts "Connection error #{e.message}" |
rescue Puppet::SSL::SSLError => e |
puts "SSL error #{e.message}" |
rescue Puppet::HTTP::HTTPError => e |
puts "General HTTP error #{e.message}" |
end |
See https://www.rubydoc.info/gems/puppet/Puppet/HTTP/Client for more details
Attachments
Issue Links
- relates to
-
PUP-11471 Allow Puppet::HTTP::Client to connect to server trusted by the system trust store using the puppet certificate for client authentification
-
- Resolved
-