[BUG] 3007.1 fail to write to vault when using self-signed certificates (verify config not honored)

[sblaisot]

Description

When using vault to store secrets and using a self-signed certificate configured using

vault:
  url: https://vaultserver
  verify: /etc/ssl/certs/vaultcert.crt

vault kv read is fine but wault kv write fail with

2024-05-28 13:08:52,135 [salt.loaded.int.module.vault:825 ][ERROR   ][403263] Failed to write secret! SSLError: HTTPSConnectionPool(host='vault.service.consul.int.cozycloud.cc', port=8200): Max retries exceeded with url: /v1/sys/wrapping/unwrap (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)')))

in pillar, this works

{% set root_password = salt['vault'].read_secret('secret/path', default=None) %}

but this fails :

{%   do salt['vault'].write_secret('secret/path', password=root_password) %}

at least these two lines are missing the parameter verify=self._requests_verify:

• https://github.com/saltstack/salt/blob/3007.x/salt/utils/vault/client.py#L250
• https://github.com/saltstack/salt/blob/3007.x/salt/utils/vault/client.py#L261

Everything was working fine with the exact same config in salt 3005.5

Setup Salt 3007.1 with hashicorp vault backend

[lkubb]

This is a duplicate of https://github.com/saltstack/salt/issues/66213.

It's only the first line that's missing verify=self._requests_verify, the second one ends up in request_raw, which does include it.

Fix: https://github.com/saltstack/salt/pull/66215

Note that https://github.com/salt-extensions/saltext-vault does not have this issue (anymore).

You can workaround this issue by specifying the expected root certificate inline*, this part of the verify handling is not broken with the omission of the parameter.

* like this:

# /etc/salt/master.d/vault.conf

vault:
  # ...
  server:
    # ...
    verify: |
      -----BEGIN CERTIFICATE-----
      # ...

[sblaisot]

Thanks for the info!