Allow ACL tokens to be "Reloadable Configuration" #7663
Assignees
Labels
theme/consul-vault
Relating to Consul & Vault interactions
type/docs
Documentation needs to be created/updated/clarified
Comments
|
I ended up coming to the same conclusion. We are trying to explain why consul-template isn't renewing consul tokens and this seemed like the most logical reason given the information in the docs. Now we have to look elsewhere for the cause of the problem. That is good to hear. Can this issue address updating the docs or do I need to create an issue somewhere else? |
|
Hi @jsmilani We'll go ahead and use this issue to track the documentation updates. Thank you for reporting it. |
jsosulska
added a commit
that referenced
this issue
Jun 16, 2020
jsosulska
added a commit
that referenced
this issue
Jun 18, 2020
hashicorp-ci
pushed a commit
that referenced
this issue
Jun 18, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There seems to be a contradiction in the Vault best practices when using the Consul Secrets Engine and the fact that Consul doesn't allow reloading of tokens (https://www.consul.io/docs/agent/options.html#reloadable-configuration). Since you cannot just trigger a reload, you must restart the Consul process. Restarts of a consul server on an HA cluster may not be that bad but restarts of clients running on individual hosts where there is only one instance causes momentary outages.
Feature Description
We request that all the tokens in the ACL section of the config be part of Reloadable Configuration.
Use Case(s)
We have compliance requirements to rotate passwords and tokens periodically and Vault is perfect for that. The problem is when implementing a rotating Consul token, the tokens don't get reloaded with the HUP signal so Consul must be restarted which causes short downtime when using it for service discovery or as a KV datastore, etc.
The text was updated successfully, but these errors were encountered: