012c165b02
* Vault Agent Template: parse templates (#7540) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * Update command/agent/config/config.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * return the decode error instead of swallowing it * Update command/agent/config/config_test.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * go mod tidy * change error checking style * Add agent template doc * TemplateServer: render secrets with Consul Template (#7621) * add template config parsing, but it's wrong b/c it's not using mapstructure * parsing consul templates in agent config * add additional test to configuration parsing, to cover basics * another test fixture, rework simple test into table * refactor into table test * rename test * remove flattenKeys and add other test fixture * add template package * WIP: add runner * fix panic, actually copy templates, etc * rework how the config.Vault is created and enable reading from the environment * this was supposed to be a part of the prior commit * move/add methods to testhelpers for converting some values to pointers * use new methods in testhelpers * add an unblock channel to block agent until a template has been rendered * add note * unblock if there are no templates * cleanups * go mod tidy * remove dead code * simple test to starT * add simple, empty templates test * Update package doc, error logs, and add missing close() on channel * update code comment to be clear what I'm referring to * have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only * Update command/agent.go Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com> * update with test * Add README and doc.go to the command/agent directory (#7503) * Add README and doc.go to the command/agent directory * Add link to website * address feedback for agent.go * updated with feedback from Calvin * Rework template.Server to export the unblock channel, and remove it from the NewServer function * apply feedback from Nick * fix/restructure rendering test * Add pointerutil package for converting types to their pointers * Remove pointer helper methods; use sdk/helper/pointerutil instead * update newRunnerConfig to use pointerutil and empty strings * only wait for unblock if template server is initialized * drain the token channel in this test * conditionally send on channel
5.8 KiB
layout, page_title, sidebar_title, sidebar_current, description
| layout | page_title | sidebar_title | sidebar_current | description |
|---|---|---|---|---|
| docs | Vault Agent | Vault Agent | docs-agent | Vault Agent is a client-side daemon that can be used to perform some Vault functionality automatically. |
Vault Agent
Vault Agent is a client daemon that provides the following features:
- Auto-Auth - Automatically authenticate to Vault and manage the token renewal process for locally-retrieved dynamic secrets.
- Caching - Allows client-side caching of responses containing newly created tokens and responses containing leased secrets generated off of these newly created tokens.
To get help, run:
$ vault agent -h
Auto-Auth
Vault Agent allows for easy authentication to Vault in a wide variety of environments. Please see the Auto-Auth docs for information.
Auto-Auth functionality takes place within an auto_auth configuration stanza.
Caching
Vault Agent allows client-side caching of responses containing newly created tokens and responses containing leased secrets generated off of these newly created tokens. Please see the Caching docs for information.
Configuration
These are the currently-available general configuration option:
-
vault(vault: <optional>) - Specifies the remote Vault server the Agent connects to. -
auto_auth(auto_auth: <optional>) - Specifies the method and other options used for Auto-Auth functionality. -
cache(cache: <optional>) - Specifies options used for Caching functionality. -
listener(listener: <optional>) - Specifies the addresses and ports on which the Agent will respond to requests. -
pid_file(string: "")- Path to the file in which the agent's Process ID (PID) should be stored -
exit_after_auth(bool: false)- If set totrue, the agent will exit with code0after a single successful auth, where success means that a token was retrieved and all sinks successfully wrote it -
template([template][template`]: <optional>) - Specifies options used for templating Vault secrets to files.
vault Stanza
There can at most be one top level vault block and it has the following
configuration entries:
-
address (string: optional)- The address of the Vault server. This should be a complete URL such ashttps://127.0.0.1:8200. This value can be overridden by setting theVAULT_ADDRenvironment variable. -
ca_cert (string: optional)- Path on the local disk to a single PEM-encoded CA certificate to verify the Vault server's SSL certificate. This value can be overridden by setting theVAULT_CACERTenvironment variable. -
ca_path (string: optional)- Path on the local disk to a directory of PEM-encoded CA certificates to verify the Vault server's SSL certificate. This value can be overridden by setting theVAULT_CAPATHenvironment variable. -
client_cert (string: option)- Path on the local disk to a single PEM-encoded CA certificate to use for TLS authentication to the Vault server. This value can be overridden by setting theVAULT_CLIENT_CERTenvironment variable. -
client_key (string: option)- Path on the local disk to a single PEM-encoded private key matching the client certificate fromclient_cert. This value can be overridden by setting theVAULT_CLIENT_KEYenvironment variable. -
tls_skip_verify (string: optional)- Disable verification of TLS certificates. Using this option is highly discouraged as it decreases the security of data transmissions to and from the Vault server. This value can be overridden by setting theVAULT_SKIP_VERIFYenvironment variable.
listener Stanza
Agent supports one or more listener stanzas. In addition to the standard listener configuration, an Agent's listener configuration also supports an additional optional entry:
require_request_header (bool: false)- Require that all incoming HTTP requests on this listener must have anX-Vault-Request: trueheader entry. Using this option offers an additional layer of protection from Service Side Request Forgery attacks. Requests on the listener that do not have the properX-Vault-Requestheader will fail, with a HTTP response status code of412: Precondition Failed.
Example Configuration
An example configuration, with very contrived values, follows:
pid_file = "./pidfile"
vault {
address = "https://127.0.0.1:8200"
}
auto_auth {
method "aws" {
mount_path = "auth/aws-subaccount"
config = {
type = "iam"
role = "foobar"
}
}
sink "file" {
config = {
path = "/tmp/file-foo"
}
}
sink "file" {
wrap_ttl = "5m"
aad_env_var = "TEST_AAD_ENV"
dh_type = "curve25519"
dh_path = "/tmp/file-foo-dhpath2"
config = {
path = "/tmp/file-bar"
}
}
}
cache {
use_auto_auth_token = true
}
listener "unix" {
address = "/path/to/socket"
tls_disable = true
}
listener "tcp" {
address = "127.0.0.1:8100"
tls_disable = true
}
template {
source = "/etc/vault/server.key.ctmpl"
destination = "/etc/vault/server.key"
}
template {
source = "/etc/vault/server.crt.ctmpl"
destination = "/etc/vault/server.crt"
}