Eliminate need for FIPS SSL Cert workaround

[helloitszak]

Use Case

Currently, a separate workaround is required when deploying splunk_hec to a FIPS environment.

As of Puppetserver 7.8.0, it's possible to use the ssl_trust_store setting in the Puppet HTTP Client by providing include_system_store as an option when doing the request.

https://tickets.puppetlabs.com/browse/SERVER-2944

This would eliminate the need to append our internal CA to localcacert and the need to work around this limitation:

Keep in mind that this file will be overwritten any time the puppetserver is upgraded to a new version and this step will have to be done again.

Describe the Solution You Would Like

An additional parameter that would let us use include_system_store for FIPS. Given the need for compatibility with older Puppetserver versions I understand why it couldn't be on by default.

Bonus points for being able to opt-in to the Puppet.runtime[:http] client as well on non-FIPS. It would save us from having to set the ssl_ca separately for the Splunk HEC and just use the ssl_trust_store we're already setting.

Here's an example of how we took advantage of this feature to make an internal tool FIPS compatible:

    options = {
      include_system_store: true
    }

    client = Puppet.runtime[:http]
    response = client.post(uri, somejson, options: options)

Describe Alternatives You've Considered

Keep the existing workaround and automating the adjustments needed to localcacert.

Additional Context

Puppet Enterprise FIPS currently has an issue where the CA Store is invalid. I'm told PE-34416 is the internal tracking number for that issue but I can't even access it myself.

[coreymbe]

@helloitszak 👋 Thank you for opening this issue!

The integrations team currently has an internal ticket (PIE-1169) to investigate the changes required to eliminate the need for the SSL workaround in FIPS environments.