[Feature Request] Ability not to do cert auth login as part of lookup

[petems]

Since the 1.1.0 release of Vault, it has the ability to do auto-auth lookup as a daemonized agent. This includes certs, so the approach in the function stays the same, but the auth token would be cached and automaticaly renewed when needed. Also, it would mean that lookups for certain secrets that have a long lease time.

I did a write-up of the whole process here: https://petersouter.xyz/vault-caching-with-auto-auth-and-puppet/

However, this only works if the token is not given during lookup time, so the logic that does the cert auth and gets the token needs to be disabled for this to work.

I'm not sure how best to do this: a parameter that disables the token lookup (eg. $d = Deferred('vault_lookup::lookup', ["secret/test", 'https://vault.hostname:8200', :cert_auth => disabled])) or a new function that has the same logic but is named differently (eg. $d = Deferred('vault_lookup::lookup_agent', ["secret/test"]) that defaults to localhost:8200 or something like that

This would also resolve the issue of #7 & #16

[fuero]

tl;dr:
vault_lookup should support unix sockets as VAULT_ADDR.

long version:
I looked into the agent + auto-auth mode offered by vault, and it adds the ability to bind the listener to a socket.

As it's possible for local users to abuse a network socket that's been pre-authenticated against Vault, I'd suggest using a unix socket protected by proper permissions (and SELinux Labels) to ward off that risk.

It's offered by more recent versions of consul-template as well.