-
Notifications
You must be signed in to change notification settings - Fork 783
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secretOrDefault #942
Comments
According to https://golang.org/pkg/text/template/, there's not only |
Thanks for the advice; unfortunately it doesn't seem to help. Even with an
...and the file is not rendered, rather than being rendered with the contents of the I believe the issue is that |
Hi there, This is a quasi-duplicate of #776. If you are reading a secret, you expect the secret to exist. We consider a missing secret to be an error. |
Hello. I agree that this is similar to #776 (I read that one before I contemplated open a ticket), but I disagree that the answer should be the same, or even that many of the same considerations apply. The However, Can you explain why you consider a nonexistent secret to be a fatal error, and more to the point, why you're not willing to add a mechanism that would allow a user to explicitly indicate that in a particular case, a nonexistent secret is not an error? Do you consider a nonexistent consul key to be an error? If so, why is there a Thanks,
|
@sethvargo But clearly people are asking for it and have workflows where this would not be considered an error. |
Hello, @sethvargo. Can we reopen this ticket please? As I indicate in my message from May (and as I continue to believe), this request is substantially different from the request |
+1 for this |
Not promising anything, but I'm going to re-open this so I can look into it. |
That was one heck of a necrobump. Looking forward to this! |
How do you all envisage the calling convention for this function to look like? The hard part is how to specify the default value, since The best I could come up with is:
But this also raises the question, should the default map be merged with the result? e.g. if
Finally, would this helper also cover the use case of permission denied as well as missing values? |
I think a reasonable implementation might be to accept an even-numbered list of key-value pairs that are populated into sub-fields of
|
@pdbogen |
Yep, that's a great point. It doesn't seem like A slightly more radical proposal might be something like:
where (But my preference would be to not have write semantics for |
(which I see now is largely what you had previously suggested! so yeah, I think if we want to keep write semantics, that would be the best option.) As for
I do not think it should.
I think we can leave it up to the users at this point to decide how to stream in structured data.
Yes, I think it should. There's some set of errors it maybe shouldn't cover, which we know are transient errors (probably we wouldn't want the template rendering to flip back and forth), but I'm not sure how easy it is to distinguish those. (HTTP 4xx vs 5xx might be enough?) |
to expand more on merging, etc; msising keys in |
Also in need of this feature, following! |
@tommyalatalo, thanks for adding your 👍 to the top issue post. |
With Go 1.18's introducing lazy evaluate of the So I propose changing this feature request to |
@eikenb I believe there would be some downsides to the |
Well.. we have the choice of having something like this and not using it with those endpoints with side effects or not having it. There are no ways to tell which secret paths will end up with side effects (depends on the secret engine) as querying them has the side effect. IMO if we need this (secretExists or secretOrDefault) we will have to accept that if you use it with a path with side effects, you'll get those side effects. That is there is no way to tell this universally without just reading the docs, which would be on the user. If anyone has an idea for how to differentiate (I'm not a Vault expert) between the side-effect paths and not please let me know and I'll consider it. Otherwise it is decision time. It is worth this feature to have bugs around using it with side-effecting paths? We'd mention it in the docs of course. Thanks for any input! |
That's a good point, there are no way to guarantee that there's no side effects because that's not really a part of any "contract" made by be APIs. Just one example is https://www.vaultproject.io/api-docs/secret/consul#generate-credential , maybe it's even a requirement that there are side effects when by nature some of the secrets are short-lived and created during call time. I'd give my vote for Sorry it took so long to reply! |
@pdbogen, @vaidik, @bbriggs, @altosys ... sorry for the direct pings but I'm looking to get feedback on this. If you have any thoughts on my last question please let me know. Thanks! |
@eikenb no worries, and thanks for taking a look at this after so long. In our environment, we don't use mounts that have side effects. So for us, it's a non-issue. I continue to think that side effects being triggered by I would not expect (So, ((amendment: to clarify our use case, for context: we have separation of duties between the folks that maintain vault (interact with it directly, configure mounts, and write secrets & policies); from those folks that write consul-template to read from vault. So we from time to time run into situations where the template owners write unsatisfiable templates, e.g., due to requests for secrets that are mis-typed or where the request to create them hasn't been actioned yet- it's really hard for us to fail gracefully in this situation, and |
Another use case which we had was that it would have made moving secrets around a lot easier, as during the process of migrating secrets from one place to another one could have supported the same secret from two different paths and picked the preferred one if it already existed for the environment. All kinds of small maintanance/refactoring tasks could be made easier through this :). |
Any plan to add this feature ? |
secret
, for the case of (for example) a generic secret, blocks rendering of the template when the requested path does not exist, as in this case:This produces the consul error (on latest git):
It would be helpful for my purposes if there was the equivalent of
keyOrDefault
forsecret
that would let me emit a blank string and continue rendering the template.The text was updated successfully, but these errors were encountered: