mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-24 16:11:08 +02:00
523a9c969c
* agent: restart template runner on retry for unlimited retries * template: log error message early * template: delegate retries back to template if param is set to true * agent: add and use the new template config stanza * agent: fix panic, fix existing tests * changelog: add changelog entry * agent: add tests for exit_on_retry_failure * agent: properly check on agent exit cases, add separate tests for missing key vs missing secrets * agent: add note on difference between missing key vs missing secret * docs: add docs for template_config * Update website/content/docs/agent/template-config.mdx Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update website/content/docs/agent/template-config.mdx Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> * Update website/content/docs/agent/template-config.mdx Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> * Update website/content/docs/agent/template-config.mdx Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> * Update website/content/docs/agent/template-config.mdx Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> * docs: fix exit_on_retry_failure, fix Functionality section * docs: update interaction title * template: add internal note on behavior for persist case * docs: update agent, template, and template-config docs * docs: update agent docs on retry stanza * Apply suggestions from code review Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> * Update changelog/11775.txt Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * agent/test: rename expectExit to expectExitFromError * agent/test: add check on early exits on the happy path * Update website/content/docs/agent/template-config.mdx Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
55 lines
2.4 KiB
Plaintext
55 lines
2.4 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Vault Agent Template Config
|
|
description: |-
|
|
Vault Agent's Template Config to set Templating Engine behavior
|
|
---
|
|
|
|
# Vault Agent Template Config
|
|
|
|
Template Config configures Vault Agent behavior common to all `template` stanzas.
|
|
|
|
For template-specific rendering configuration, refer to the parameters within the
|
|
[`template`](/docs/agent/template) stanza.
|
|
|
|
## Functionality
|
|
|
|
The `template_config` stanza configures overall default behavior for the
|
|
templating engine. Note that `template_config` can only be defined once, and is
|
|
different from the `template` stanza. Unlike `template` which focuses on where
|
|
and how a specific secret is rendered, `template_config` contains parameters
|
|
affecting how the templating engine as a whole behaves and its interaction with
|
|
the rest of Agent. This includes, but is not limited to, program exit behavior.
|
|
Other parameters that apply to the templating engine as a whole may be added
|
|
over time.
|
|
|
|
### Interaction between `exit_on_retry_failure` and `error_on_missing_key`
|
|
|
|
The parameter
|
|
[`error_on_missing_key`](/docs/agent/template#error_on_missing_key) can be
|
|
specified within the `template` stanza which determines if a template should
|
|
error when a key is missing in the secret. When `error_on_missing_key` is not
|
|
specified or set to `false` and the key to render is not in the secret's
|
|
response, the templating engine will ignore it (or render `"<no value>"`) and
|
|
continue on with its rendering.
|
|
|
|
If the desire is to have Agent fail and exit on a missing key, both
|
|
`template.error_on_missing_key` and `template_config.exit_on_retry_failure` must
|
|
be set to true. Otherwise, the templating engine will error and render to its
|
|
destination, but agent will not exit and will retry until the key exists or until
|
|
the process is terminated.
|
|
|
|
Note that a missing key from a secret's response is different from a missing or
|
|
non-existent secret. The templating engine will always error if a secret is
|
|
missing, but will only error for a missing key if `error_on_missing_key` is set.
|
|
Whether Vault Agent will exit when the templating engine errors depends on the
|
|
value of `exit_on_retry_failure`.
|
|
|
|
## Configuration
|
|
|
|
The top level `template_config` block has the following configuration entries:
|
|
|
|
- `exit_on_retry_failure` `(bool: false)` - This option configures Vault Agent
|
|
to exit after it has exhausted its number of template retry attempts due to
|
|
failures.
|