Open helloitszak opened 1 year ago
@helloitszak 👋 Thank you for opening this issue!
The integrations team currently has an internal ticket (PIE-1169) to investigate the changes required to eliminate the need for the SSL workaround in FIPS environments.
Use Case
Currently, a separate workaround is required when deploying splunk_hec to a FIPS environment.
As of Puppetserver 7.8.0, it's possible to use the
ssl_trust_store
setting in the Puppet HTTP Client by providinginclude_system_store
as an option when doing the request.https://tickets.puppetlabs.com/browse/SERVER-2944
This would eliminate the need to append our internal CA to
localcacert
and the need to work around this limitation:Describe the Solution You Would Like
An additional parameter that would let us use
include_system_store
for FIPS. Given the need for compatibility with older Puppetserver versions I understand why it couldn't be on by default.Bonus points for being able to opt-in to the
Puppet.runtime[:http]
client as well on non-FIPS. It would save us from having to set thessl_ca
separately for the Splunk HEC and just use thessl_trust_store
we're already setting.Here's an example of how we took advantage of this feature to make an internal tool FIPS compatible:
Describe Alternatives You've Considered
Keep the existing workaround and automating the adjustments needed to
localcacert
.Additional Context
Puppet Enterprise FIPS currently has an issue where the CA Store is invalid. I'm told PE-34416 is the internal tracking number for that issue but I can't even access it myself.