Patch to support VAULT_HTTP_PROXY variable

api/client.go

@@ -42,6 +42,7 @@ const (
 	EnvVaultToken         = "VAULT_TOKEN"
 	EnvVaultMFA           = "VAULT_MFA"
 	EnvRateLimit          = "VAULT_RATE_LIMIT"
+	EnvHTTPProxy          = "VAULT_HTTP_PROXY"
 )
 
 // Deprecated values
@@ -271,6 +272,7 @@ func (c *Config) ReadEnvironment() error {
 	var envMaxRetries *uint64
 	var envSRVLookup bool
 	var limit *rate.Limiter
+	var envHTTPProxy string
 
 	// Parse the environment variables
 	if v := os.Getenv(EnvVaultAddress); v != "" {
@@ -339,6 +341,10 @@ func (c *Config) ReadEnvironment() error {
 		envTLSServerName = v
 	}
 
+	if v := os.Getenv(EnvHTTPProxy); v != "" {
+		envHTTPProxy = v
+	}
+
 	// Configure the HTTP clients TLS configuration.
 	t := &TLSConfig{
 		CACert:        envCACert,
@@ -375,6 +381,16 @@ func (c *Config) ReadEnvironment() error {
 		c.Timeout = envClientTimeout
 	}
 
+	if envHTTPProxy != "" {
+		url, err := url.Parse(envHTTPProxy)
+		if err != nil {
+			return err
+		}
+
+		transport := c.HttpClient.Transport.(*http.Transport)
+		transport.Proxy = http.ProxyURL(url)
+	}
+
 	return nil
 }
 

changelog/12582.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+api: Support VAULT_HTTP_PROXY environment variable to allow overriding the Vault client's HTTP proxy
+```

website/content/docs/commands/index.mdx

@@ -323,6 +323,12 @@ can be supplied. If a MFA method expects multiple credential values, or if there
 are multiple MFA methods specified on a path, then the CLI flag `-mfa` should be
 used.
 
+### `VAULT_HTTP_PROXY`
+
+HTTP proxy location which should be used to access Vault. When present, this
+overrides any other proxies found in the environment. Format should be
+`http://server:port`.
+
 ## Flags
 
 There are different CLI flags that are available depending on subcommands. Some