Patch to support VAULT_HTTP_PROXY variable (#12582)

* patch to support VAULT_HTTP_PROXY variable * simplify the proxy replacement * internal code review * rename to VAULT_HTTP_PROXY, apply within ReadEnvironment * clean up some unintended whitespace changes * add docs for the new env variable and a changelog entry Co-authored-by: Dave Du Cros <davidducros@gmail.com>
2021-10-06 17:40:31 +01:00 · 2021-10-06 17:40:31 +01:00 · 79662d0842
parent 1549af7e53
commit 79662d0842
3 changed files with 25 additions and 0 deletions
--- a/api/client.go
+++ b/api/client.go
@ -42,6 +42,7 @@ const (
 	EnvVaultToken         = "VAULT_TOKEN"
 	EnvVaultMFA           = "VAULT_MFA"
 	EnvRateLimit          = "VAULT_RATE_LIMIT"
+	EnvHTTPProxy          = "VAULT_HTTP_PROXY"
 )

 // Deprecated values
@ -271,6 +272,7 @@ func (c *Config) ReadEnvironment() error {
 	var envMaxRetries *uint64
 	var envSRVLookup bool
 	var limit *rate.Limiter
+	var envHTTPProxy string

 	// Parse the environment variables
 	if v := os.Getenv(EnvVaultAddress); v != "" {
@ -339,6 +341,10 @@ func (c *Config) ReadEnvironment() error {
 		envTLSServerName = v
 	}

+	if v := os.Getenv(EnvHTTPProxy); v != "" {
+		envHTTPProxy = v
+	}
+
 	// Configure the HTTP clients TLS configuration.
 	t := &TLSConfig{
 		CACert:        envCACert,
@ -375,6 +381,16 @@ func (c *Config) ReadEnvironment() error {
 		c.Timeout = envClientTimeout
 	}

+	if envHTTPProxy != "" {
+		url, err := url.Parse(envHTTPProxy)
+		if err != nil {
+			return err
+		}
+
+		transport := c.HttpClient.Transport.(*http.Transport)
+		transport.Proxy = http.ProxyURL(url)
+	}
+
 	return nil
 }

--- a/changelog/12582.txt
+++ b/changelog/12582.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+api: Support VAULT_HTTP_PROXY environment variable to allow overriding the Vault client's HTTP proxy
+```
--- a/website/content/docs/commands/index.mdx
+++ b/website/content/docs/commands/index.mdx
@ -323,6 +323,12 @@ can be supplied. If a MFA method expects multiple credential values, or if there
 are multiple MFA methods specified on a path, then the CLI flag `-mfa` should be
 used.

+### `VAULT_HTTP_PROXY`
+
+HTTP proxy location which should be used to access Vault. When present, this
+overrides any other proxies found in the environment. Format should be
+`http://server:port`.
+
 ## Flags

 There are different CLI flags that are available depending on subcommands. Some