$ consul-template -v
consul-template v0.18.1 (9c62737)
{{ range nodes }}
<tr>
<td>{{ .Node }}</td>
<td>{{ index .Meta "team" }}</td>
<td>{{ index .Meta "contact" }}</td>
</tr>{{ end }}
$ consul-template.exe -template test.ctmpl:output.html
https://gist.github.com/carlpett/8d4b4cfb274fe3b68b2c4628cb74d55b
Consul-template renders the file and stays alive to render any changes
The first render of the output completes, but then Consul-template exits with exit code 14 after ~15 seconds of retries to renew a Vault token.
There is no $VAULT_TOKEN set, so it shouldn't think it needs to renew one based on that. Looking at the generated config from the logs, it even has Vault as disabled:
"Vault": {
"Address": "",
"Enabled": false,
"RenewToken": true,
"Retry": {
"Attempts": 5,
"Backoff": 250000000,
"Enabled": true
},
If running with -once, this does not happen, and everything goes as expected.
Hi @carlpett
Can you please verify there is no VAULT_TOKEN envvar set and that no token exists at ~/.vault-token? I just tried this myself and cannot reproduce. You can check by running:
$ env
and
$ test -f ~/.vault-token
Ah. I had already checked for $VAULT_TOKEN, but I didn't think about ~/.vault-token. I do have one.
Still, as I haven't enabled Vault, I wouldn't expect it to look for the token in the first place (and especially when I can read from the log output that Consul-template considers Vault disabled)?
Hi @carlpett
Consul Template automatically enables Vault if it detects the VAULT_TOKEN environment variable or the ~/.vault-token file.
The fact that it considers Vault enabled is intriguing to me. I will try to fix this soon, but it looks like you're unblocked for now, right?
Yup, now that I understood it all is well :)
Having a suitable log entry might be enough to remove confusion at least, but since this actually exits Consul-Template I'd argue that a stronger opt-in from the user might make for a better UX? Or at least make disabling it possible.
In this case it was merely a debug-token that I could simply remove, but I'm not sure that there isn't a case where I would want to keep my .vault-token but not have it exit my templates.
I'm going to document this in the README, but we don't really have a good way to pass information into the config files right now. This is also the pattern that all the Vault tooling takes; the Vault stdlib will do this, so we'd have to hijack that and try to interpret what it's doing.
Most helpful comment
Hi @carlpett
Can you please verify there is no
VAULT_TOKENenvvar set and that no token exists at~/.vault-token? I just tried this myself and cannot reproduce. You can check by running:and