Patch to support VAULT_HTTP_PROXY variable (#12582)

* patch to support VAULT_HTTP_PROXY variable * simplify the proxy replacement * internal code review * rename to VAULT_HTTP_PROXY, apply within ReadEnvironment * clean up some unintended whitespace changes * add docs for the new env variable and a changelog entry Co-authored-by: Dave Du Cros <davidducros@gmail.com>
hashicorp · Oct 6, 2021 · 547e4c9 · 547e4c9
1 parent d33ad08
commit 547e4c9
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/api/client.go b/api/client.go
@@ -42,6 +42,7 @@ const (
 	EnvVaultToken         = "VAULT_TOKEN"
 	EnvVaultMFA           = "VAULT_MFA"
 	EnvRateLimit          = "VAULT_RATE_LIMIT"
+	EnvHTTPProxy          = "VAULT_HTTP_PROXY"
 )
 
 // Deprecated values
@@ -271,6 +272,7 @@ func (c *Config) ReadEnvironment() error {
 	var envMaxRetries *uint64
 	var envSRVLookup bool
 	var limit *rate.Limiter
+	var envHTTPProxy string
 
 	// Parse the environment variables
 	if v := os.Getenv(EnvVaultAddress); v != "" {
@@ -339,6 +341,10 @@ func (c *Config) ReadEnvironment() error {
 		envTLSServerName = v
 	}
 
+	if v := os.Getenv(EnvHTTPProxy); v != "" {
+		envHTTPProxy = v
+	}
+
 	// Configure the HTTP clients TLS configuration.
 	t := &TLSConfig{
 		CACert:        envCACert,
@@ -375,6 +381,16 @@ func (c *Config) ReadEnvironment() error {
 		c.Timeout = envClientTimeout
 	}
 
+	if envHTTPProxy != "" {
+		url, err := url.Parse(envHTTPProxy)
+		if err != nil {
+			return err
+		}
+
+		transport := c.HttpClient.Transport.(*http.Transport)
+		transport.Proxy = http.ProxyURL(url)
+	}
+
 	return nil
 }
 

diff --git a/changelog/12582.txt b/changelog/12582.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+api: Support VAULT_HTTP_PROXY environment variable to allow overriding the Vault client's HTTP proxy
+```
diff --git a/website/content/docs/commands/index.mdx b/website/content/docs/commands/index.mdx
@@ -323,6 +323,12 @@ can be supplied. If a MFA method expects multiple credential values, or if there
 are multiple MFA methods specified on a path, then the CLI flag `-mfa` should be
 used.
 
+### `VAULT_HTTP_PROXY`
+
+HTTP proxy location which should be used to access Vault. When present, this
+overrides any other proxies found in the environment. Format should be
+`http://server:port`.
+
 ## Flags
 
 There are different CLI flags that are available depending on subcommands. Some