approle unwrap POST ignores build agent http proxy settings #65
Description
The URL/v1/auth/approle/login uses the proxy but subsequent URL/v1/sys/wrapping/unwrap ignores the proxy and gets a connection timeout
When the plugin talks to Vault we see the initial login request. Then it sends a encrypted token to the build agent to use for its login. That phase is what's getting a timeout.
I think it is happening at this part of the doc:https://blog.jetbrains.com/teamcity/2017/09/vault/#how-it-works When a new build is started, the TeamCity server requests a one-time [response wrapping](https://www.vaultproject.io/docs/concepts/response-wrapping.html)token in Vault, and sends it to a build agent. because the error is on the /v1/sys/wrapping/unwrap endpoint. We can see the login connection connects just fine with the proxy using Wireshark and checking the Vault audit logs shows the 200 /v1/auth/approle/login connection as well. The /v1/sys/wrapping/unwrap never hits the Vault audit logs and the network team confirmed it is being blocked because it is not using the proxy.
I am mocking some of the sensitive info in the error message below for security reasons but it shows the main error.
Failed to unwrap HashiCorp Vault token: Cannot login using org.springframework.web.client.ResourceAccessException: I/O error on POST request for "[https://write.vault-REDACTED.com:443/v1/sys/wrapping/unwrap](https://write.vault-REDACTED.com/v1/sys/wrapping/unwrap)": Connect to write.vault-redacted.com:443 [write.vault-REDACTED.com/10.10.10.10] failed: Connect timed out; nested exception is org.apache.http.conn.ConnectTimeoutException: Connect to write.vault-REDACTED.com:443 [write.vault-REDACTED.com/10.10.10.10] failed: Connect timed outThe interesting part is I can log onto the teamcity server and curl the approle endpoints and get the vault secrets just fine. I can do the same thing with command line build runner using the build agent. The only thing I am not doing with curl is the wrapping/unwrap endpoint because with the login I have the token to get the secrets I need. THIS is NOT a secure work around however and I am hoping the community can come up with a solution for the plugin itself to have the wrapping/unwrap endpoint use the proxy as intended instead.