mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2026-05-04 20:06:43 +02:00
Code Issues Packages Projects Releases Wiki Activity
aports/community/consul-template/consul-template.hcl

352 lines
16 KiB
HCL
Raw Blame History

# This denotes the start of the configuration section for Consul. All values
# contained in this section pertain to Consul.
consul {
# This block specifies the basic authentication information to pass with the
# request. For more information on authentication, please see the Consul
# documentation.
auth {
enabled = true
username = "test"
password = "test"
}
# This is the address of the Consul agent. By default, this is
# 127.0.0.1:8500, which is the default bind and port for a local Consul
# agent. It is not recommended that you communicate directly with a Consul
# server, and instead communicate with the local Consul agent. There are many
# reasons for this, most importantly the Consul agent is able to multiplex
# connections to the Consul server and reduce the number of open HTTP
# connections. Additionally, it provides a "well-known" IP address for which
# clients can connect.
address = "127.0.0.1:8500"
# This is the ACL token to use when connecting to Consul. If you did not
# enable ACLs on your Consul cluster, you do not need to set this option.
#
# This option is also available via the environment variable CONSUL_TOKEN.
token = "abcd1234"
# This controls the retry behavior when an error is returned from Consul.
# Consul Template is highly fault tolerant, meaning it does not exit in the
# face of failure. Instead, it uses exponential back-off and retry functions
# to wait for the cluster to become available, as is customary in distributed
# systems.
retry {
# This enabled retries. Retries are enabled by default, so this is
# redundant.
enabled = true
# This specifies the number of attempts to make before giving up. Each
# attempt adds the exponential backoff sleep time. Setting this to
# zero will implement an unlimited number of retries.
attempts = 12
# This is the base amount of time to sleep between retry attempts. Each
# retry sleeps for an exponent of 2 longer than this base. For 5 retries,
# the sleep times would be: 250ms, 500ms, 1s, 2s, then 4s.
backoff = "250ms"
# This is the maximum amount of time to sleep between retry attempts.
# When max_backoff is set to zero, there is no upper limit to the
# exponential sleep between retry attempts.
# If max_backoff is set to 10s and backoff is set to 1s, sleep times
# would be: 1s, 2s, 4s, 8s, 10s, 10s, ...
max_backoff = "1m"
}
# This block configures the SSL options for connecting to the Consul server.
ssl {
# This enables SSL. Specifying any option for SSL will also enable it.
enabled = true
# This enables SSL peer verification. The default value is "true", which
# will check the global CA chain to make sure the given certificates are
# valid. If you are using a self-signed certificate that you have not added
# to the CA chain, you may want to disable SSL verification. However, please
# understand this is a potential security vulnerability.
verify = false
# This is the path to the certificate to use to authenticate. If just a
# certificate is provided, it is assumed to contain both the certificate and
# the key to convert to an X509 certificate. If both the certificate and
# key are specified, Consul Template will automatically combine them into an
# X509 certificate for you.
cert = "/path/to/client/cert"
key = "/path/to/client/key"
# This is the path to the certificate authority to use as a CA. This is
# useful for self-signed certificates or for organizations using their own
# internal certificate authority.
ca_cert = "/path/to/ca"
# This is the path to a directory of PEM-encoded CA cert files. If both
# `ca_cert` and `ca_path` is specified, `ca_cert` is preferred.
ca_path = "path/to/certs/"
# This sets the SNI server name to use for validation.
server_name = "my-server.com"
}
}
# This is the signal to listen for to trigger a reload event. The default
# value is shown below. Setting this value to the empty string will cause CT
# to not listen for any reload signals.
reload_signal = "SIGHUP"
# This is the signal to listen for to trigger a graceful stop. The default
# value is shown below. Setting this value to the empty string will cause CT
# to not listen for any graceful stop signals.
kill_signal = "SIGINT"
# This is the maximum interval to allow "stale" data. By default, only the
# Consul leader will respond to queries; any requests to a follower will
# forward to the leader. In large clusters with many requests, this is not as
# scalable, so this option allows any follower to respond to a query, so long
# as the last-replicated data is within these bounds. Higher values result in
# less cluster load, but are more likely to have outdated data.
max_stale = "10m"
# This is the log level. If you find a bug in Consul Template, please enable
# debug logs so we can help identify the issue. This is also available as a
# command line flag.
log_level = "warn"
# This is the path to store a PID file which will contain the process ID of the
# Consul Template process. This is useful if you plan to send custom signals
# to the process.
pid_file = "/path/to/pid"
# This is the quiescence timers; it defines the minimum and maximum amount of
# time to wait for the cluster to reach a consistent state before rendering a
# template. This is useful to enable in systems that have a lot of flapping,
# because it will reduce the the number of times a template is rendered.
wait {
min = "5s"
max = "10s"
}
# This denotes the start of the configuration section for Vault. All values
# contained in this section pertain to Vault.
vault {
# This is the address of the Vault leader. The protocol (http(s)) portion
# of the address is required.
address = "https://vault.service.consul:8200"
# This is the grace period between lease renewal of periodic secrets and secret
# re-acquisition. When renewing a secret, if the remaining lease is less than or
# equal to the configured grace, Consul Template will request a new credential.
# This prevents Vault from revoking the credential at expiration and Consul
# Template having a stale credential.
#
# Note: If you set this to a value that is higher than your default TTL or
# max TTL, Consul Template will always read a new secret!
grace = "5m"
# This is the token to use when communicating with the Vault server.
# Like other tools that integrate with Vault, Consul Template makes the
# assumption that you provide it with a Vault token; it does not have the
# incorporated logic to generate tokens via Vault's auth methods.
#
# This value can also be specified via the environment variable VAULT_TOKEN.
token = "abcd1234"
# This tells Consul Template that the provided token is actually a wrapped
# token that should be unwrapped using Vault's cubbyhole response wrapping
# before being used. Please see Vault's cubbyhole response wrapping
# documentation for more information.
unwrap_token = true
# This option tells Consul Template to automatically renew the Vault token
# given. If you are unfamiliar with Vault's architecture, Vault requires
# tokens be renewed at some regular interval or they will be revoked. Consul
# Template will automatically renew the token at half the lease duration of
# the token. The default value is true, but this option can be disabled if
# you want to renew the Vault token using an out-of-band process.
#
# Note that secrets specified in a template (using {{secret}} for example)
# are always renewed, even if this option is set to false. This option only
# applies to the top-level Vault token itself.
renew_token = true
# This section details the retry options for connecting to Vault. Please see
# the retry options in the Consul section for more information (they are the
# same).
retry {
# ...
}
# This section details the SSL options for connecting to the Vault server.
# Please see the SSL options in the Consul section for more information (they
# are the same).
ssl {
# ...
}
}
# This block defines the configuration for connecting to a syslog server for
# logging.
syslog {
# This enables syslog logging. Specifying any other option also enables
# syslog logging.
enabled = true
# This is the name of the syslog facility to log to.
facility = "LOCAL5"
}
# This block defines the configuration for de-duplication mode. Please see the
# de-duplication mode documentation later in the README for more information
# on how de-duplication mode operates.
deduplicate {
# This enables de-duplication mode. Specifying any other options also enables
# de-duplication mode.
enabled = true
# This is the prefix to the path in Consul's KV store where de-duplication
# templates will be pre-rendered and stored.
prefix = "consul-template/dedup/"
}
# This block defines the configuration for exec mode. Please see the exec mode
# documentation at the bottom of this README for more information on how exec
# mode operates and the caveats of this mode.
exec {
# This is the command to exec as a child process. There can be only one
# command per Consul Template process.
command = "/usr/bin/app"
# This is a random splay to wait before killing the command. The default
# value is 0 (no wait), but large clusters should consider setting a splay
# value to prevent all child processes from reloading at the same time when
# data changes occur. When this value is set to non-zero, Consul Template
# will wait a random period of time up to the splay value before reloading
# or killing the child process. This can be used to prevent the thundering
# herd problem on applications that do not gracefully reload.
splay = "5s"
env {
# This specifies if the child process should not inherit the parent
# process's environment. By default, the child will have full access to the
# environment variables of the parent. Setting this to true will send only
# the values specified in `custom_env` to the child process.
pristine = false
# This specifies additional custom environment variables in the form shown
# below to inject into the child's runtime environment. If a custom
# environment variable shares its name with a system environment variable,
# the custom environment variable takes precedence. Even if pristine,
# whitelist, or blacklist is specified, all values in this option
# are given to the child process.
custom = ["PATH=$PATH:/etc/myapp/bin"]
# This specifies a list of environment variables to exclusively include in
# the list of environment variables exposed to the child process. If
# specified, only those environment variables matching the given patterns
# are exposed to the child process. These strings are matched using Go's
# glob function, so wildcards are permitted.
whitelist = ["CONSUL_*"]
# This specifies a list of environment variables to exclusively prohibit in
# the list of environment variables exposed to the child process. If
# specified, any environment variables matching the given patterns will not
# be exposed to the child process, even if they are whitelisted. The values
# in this option take precedence over the values in the whitelist.
# These strings are matched using Go's glob function, so wildcards are
# permitted.
blacklist = ["VAULT_*"]
}
# This defines the signal that will be sent to the child process when a
# change occurs in a watched template. The signal will only be sent after the
# process is started, and the process will only be started after all
# dependent templates have been rendered at least once. The default value is
# nil, which tells Consul Template to stop the child process and spawn a new
# one instead of sending it a signal. This is useful for legacy applications
# or applications that cannot properly reload their configuration without a
# full reload.
reload_signal = ""
# This defines the signal sent to the child process when Consul Template is
# gracefully shutting down. The application should begin a graceful cleanup.
# If the application does not terminate before the `kill_timeout`, it will
# be terminated (effectively "kill -9"). The default value is "SIGTERM".
kill_signal = "SIGINT"
# This defines the amount of time to wait for the child process to gracefully
# terminate when Consul Template exits. After this specified time, the child
# process will be force-killed (effectively "kill -9"). The default value is
# "30s".
kill_timeout = "2s"
}
# This block defines the configuration for a template. Unlike other blocks,
# this block may be specified multiple times to configure multiple templates.
# It is also possible to configure templates via the CLI directly.
template {
# This is the source file on disk to use as the input template. This is often
# called the "Consul Template template". This option is required if not using
# the `contents` option.
source = "/path/on/disk/to/template.ctmpl"
# This is the destination path on disk where the source template will render.
# If the parent directories do not exist, Consul Template will attempt to
# create them, unless create_dest_dirs is false.
destination = "/path/on/disk/where/template/will/render.txt"
# This options tells Consul Template to create the parent directories of the
# destination path if they do not exist. The default value is true.
create_dest_dirs = true
# This option allows embedding the contents of a template in the configuration
# file rather then supplying the `source` path to the template file. This is
# useful for short templates. This option is mutually exclusive with the
# `source` option.
contents = "{{ keyOrDefault \"service/redis/maxconns@east-aws\" \"5\" }}"
# This is the optional command to run when the template is rendered. The
# command will only run if the resulting template changes. The command must
# return within 30s (configurable), and it must have a successful exit code.
# Consul Template is not a replacement for a process monitor or init system.
command = "restart service foo"
# This is the maximum amount of time to wait for the optional command to
# return. Default is 30s.
command_timeout = "60s"
# Exit with an error when accessing a struct or map field/key that does not
# exist. The default behavior will print "<no value>" when accessing a field
# that does not exist. It is highly recommended you set this to "true" when
# retrieving secrets from Vault.
error_on_missing_key = false
# This is the permission to render the file. If this option is left
# unspecified, Consul Template will attempt to match the permissions of the
# file that already exists at the destination path. If no file exists at that
# path, the permissions are 0644.
perms = 0600
# This option backs up the previously rendered template at the destination
# path before writing a new one. It keeps exactly one backup. This option is
# useful for preventing accidental changes to the data without having a
# rollback strategy.
backup = true
# These are the delimiters to use in the template. The default is "{{" and
# "}}", but for some templates, it may be easier to use a different delimiter
# that does not conflict with the output file itself.
left_delimiter = "{{"
right_delimiter = "}}"
# This is the `minimum(:maximum)` to wait before rendering a new template to
# disk and triggering a command, separated by a colon (`:`). If the optional
# maximum value is omitted, it is assumed to be 4x the required minimum value.
# This is a numeric time with a unit suffix ("5s"). There is no default value.
# The wait value for a template takes precedence over any globally-configured
# wait.
wait {
min = "2s"
max = "10s"
}
}
Reference in New Issue View Git Blame Copy Permalink