Consul-template: Consul-template tries to renew Vault token even if not configured to use Vault

Created on 16 Feb 2017  路  5Comments  路  Source: hashicorp/consul-template

Consul Template version

$ consul-template -v
consul-template v0.18.1 (9c62737)

Configuration

{{ range nodes }}
<tr>
  <td>{{ .Node }}</td>
  <td>{{ index .Meta "team" }}</td>
  <td>{{ index .Meta "contact" }}</td>
</tr>{{ end }}

Command

$ consul-template.exe -template test.ctmpl:output.html

Debug output

https://gist.github.com/carlpett/8d4b4cfb274fe3b68b2c4628cb74d55b

Expected behavior

Consul-template renders the file and stays alive to render any changes

Actual behavior

The first render of the output completes, but then Consul-template exits with exit code 14 after ~15 seconds of retries to renew a Vault token.

There is no $VAULT_TOKEN set, so it shouldn't think it needs to renew one based on that. Looking at the generated config from the logs, it even has Vault as disabled:

  "Vault": {
    "Address": "",
    "Enabled": false,
    "RenewToken": true,
    "Retry": {
      "Attempts": 5,
      "Backoff": 250000000,
      "Enabled": true
    },

If running with -once, this does not happen, and everything goes as expected.

bug

Most helpful comment

Hi @carlpett

Can you please verify there is no VAULT_TOKEN envvar set and that no token exists at ~/.vault-token? I just tried this myself and cannot reproduce. You can check by running:

$ env

and

$ test -f ~/.vault-token

All 5 comments

Hi @carlpett

Can you please verify there is no VAULT_TOKEN envvar set and that no token exists at ~/.vault-token? I just tried this myself and cannot reproduce. You can check by running:

$ env

and

$ test -f ~/.vault-token

Ah. I had already checked for $VAULT_TOKEN, but I didn't think about ~/.vault-token. I do have one.
Still, as I haven't enabled Vault, I wouldn't expect it to look for the token in the first place (and especially when I can read from the log output that Consul-template considers Vault disabled)?

Hi @carlpett

Consul Template automatically enables Vault if it detects the VAULT_TOKEN environment variable or the ~/.vault-token file.

The fact that it considers Vault enabled is intriguing to me. I will try to fix this soon, but it looks like you're unblocked for now, right?

Yup, now that I understood it all is well :)
Having a suitable log entry might be enough to remove confusion at least, but since this actually exits Consul-Template I'd argue that a stronger opt-in from the user might make for a better UX? Or at least make disabling it possible.
In this case it was merely a debug-token that I could simply remove, but I'm not sure that there isn't a case where I would want to keep my .vault-token but not have it exit my templates.

I'm going to document this in the README, but we don't really have a good way to pass information into the config files right now. This is also the pattern that all the Vault tooling takes; the Vault stdlib will do this, so we'd have to hijack that and try to interpret what it's doing.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ross picture ross  路  6Comments

mafonso picture mafonso  路  4Comments

waterdudu picture waterdudu  路  5Comments

marcelki picture marcelki  路  4Comments

bryanlarsen picture bryanlarsen  路  8Comments