Hashicorp Vault: verifyTls=true should be possible for internal PKI CA

[amolari]

Environment:

• The Hashicorp Vault has a SSL certificate signed by the customer's internal PKI
• the bigip instances' (custom image on the Cloud) trust the internal PKI at OS-level and early-stage
  • CA certificates (/config/ssl/ssl.crt/ca-bundle.crt) are changed at the f5-generator/custom image stage
  • curl to the Vault URL shows the Vault's SSL cert is trusted

Runtime-init connection to Vault doesn't trusts that internal PKI cert. My understanding is that

1. Node.js hardcodes the CAs it trusts
2. some other ca file can be specified in the code, such as example here
3. Node.js has the capability to use additional trusted CAs with the environment variable NODE_EXTRA_CA_CERTS. But it looks like it's supported since v7.3.0 (and backported to LTS versions 6.10.0 / 4.8.0). Is it usable in runtime-init, since the BIGIP uses the eol release v6.9.1 ?

[mikeshimkus]

Thanks for reporting, I created internal issue #2885 to track this work.

[shyawnkarim]

Closing. This was included with Release 1.4.0.