Feat: support retrieving secrets from Vault where the listener ssl ce…

…rtificate is not a puppet cert This duplicates the options on the client.post for get_auth_token() Without it the puppet agent successfully retrieves a token but cannot connect to Vault to retrieve a secret.
voxpupuli · Aug 4, 2022 · 8c0fce7 · 8c0fce7
1 parent ea9bae4
commit 8c0fce7
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/lib/puppet/functions/vault_lookup/lookup.rb b/lib/puppet/functions/vault_lookup/lookup.rb
@@ -60,7 +60,9 @@ def auth_login_body(vault_cert_role)
 
   def get_secret(client, uri, token, namespace)
     headers = { 'X-Vault-Token' => token, 'X-Vault-Namespace' => namespace }.delete_if { |_key, value| value.nil? }
-    secret_response = client.get(uri, headers: headers)
+    secret_response = client.get(uri,
+                                 headers: headers,
+                                 options: { include_system_store: true })
     unless secret_response.success?
       message = "Received #{secret_response.code} response code from vault at #{uri} for secret lookup"
       raise Puppet::Error, append_api_errors(message, secret_response)