Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow vault agent accept config directory #10369

Closed
derbenevivan opened this issue Nov 10, 2020 · 6 comments
Closed

Allow vault agent accept config directory #10369

derbenevivan opened this issue Nov 10, 2020 · 6 comments
Labels
agent core/config

Comments

@derbenevivan
Copy link

Currently vault agent accepts only a file in -config argument of CLI

Compiling vault-agent configuration from different sources (like multiple ansible roles) can be a pain, if we use only a single config file

Adding a possibility to move multiple template{} stanzas or even sink{} to a different files will help managing multiple templates
Like it's done, for example, in consul-template
@aphorise
Copy link
Contributor

aphorise commented Nov 18, 2020
edited
Loading

What should happen in scenarios where there are multiple agent specific .hcl files at the given path? (ie which should it use & why?).

@derbenevivan
Copy link
Author

@aphorise how it's done in consul-template?
seems that smth like this:
https://github.com/hashicorp/consul-template/pull/74/files
I imagine that would be simple merging of all files from directory into one.
If vault agent doesn't support multiple vault{} stanzas, for instance, that would return exactly the same error, as when the single file had multiple vault{} stanzas

I assume that adding multiple agent specific vault agent configs to a single folder and at the same time specifying this folder as a config source will be considered a misconfiguration.

As i see, this will be 100% backwards compatible, because now nobody can specify a folder as a config source, and won't have any issues if their vault agent is pointing at /path/vault-config.hcl

@rrauenza
Copy link

rrauenza commented May 3, 2022

Or what if it was done like sudoers?

include_templates = "/etc/vault-agent.d/templates.d/" ?

Each included template could either be required to ... or required not to... have the template { } stanza.

Or supervisor.d, where you give a filespec:

[include]
files = supervisord.d/*.ini

So,

include_templates = "/etc/vault-agent.d/templates.d/*.conf"

(My particular pain point is ansible needing to drop different templates.. the main config can be done as a single different role.)

@aphorise
Copy link
Contributor

The issue I was actually getting at were clashes and what should happen in case of multiple .hcl with the same scope that for example vary only in the vault address used? - as is for example common when configs may be update on a new file on the same path to reflect minor changes?

@rjhornsby
Copy link
Contributor

As far as configuration conflicts, server mode already supports the desired behavior of being able to provide multiple -config args, as does consul. However they're solving it seems reasonable.

Vault - but specifically in agent mode - is the odd one out here it seems.

@peteski22
Copy link

peteski22 commented Jan 30, 2023
edited
Loading

Should now be resolved by #18403

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
agent core/config
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@peteski22 @aphorise @rrauenza @rjhornsby @swayne275 @derbenevivan @heatherezell