-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
agent does not respect kv ttl #8287
Comments
Hello! The I assume you're using KV version 2 because you mention |
I am indeed using v2. So what is the right way to control agent refresh of kv secrets - and therefore template generation - for v1 and for v2? |
At this time there is not much control available for KV 2. Vault Agent uses Consul-Template internally to manage the rendered templates, which calculates when to check for updated versions. For secrets that do not have a lease (such as KV version 2), Consul-Template calculates a random time based off of a default duration of 5 minutes, as shown here: Offering users better control on the refresh rate seems like a reasonable feature, however it would need to be added upstream to Consul Template. |
So it is calculated within the template? I didn’t realize that.
|
Hey @deitch - thank you for offering to contribute here! As far as starting point in consul template, I'm afraid I may not be the best to guide here. Perhaps post an issue on https://github.com/hashicorp/consul-template/issues asking?
I don't see why not. It's true that there is little control offered here, but Consul Template still refreshes on a best effort based on a default duration. Exposing a knob that allows users to customize that duration (or otherwise set a refresh period) seems reasonable, but would first need to be added into Consul Template itself. I'm going to close this issue for now. Thanks again! |
Describe the bug
vault agent does not respect a
ttl
setting in kv secretsTo Reproduce
Steps to reproduce the behavior:
vault kv put secret/foo a=b ttl=30s
vault agent
vault kv patch secret/foo a=q
Expected behavior
Respect the ttl for kv, or have a different method for tweaking it.
Environment:
vault status
):1.3.2
vault version
):v1.3.2
Vault server configuration file(s):
Additional context
The docs on kv state that having a key of type
ttl
creates an implied lease duration, which should be respected by clients. Vault agent should respect that and re-render templates that use those secrets.I find the
ttl
a bit odd, as it mixes actual data with metadata, and can lead to accidental overwrite/deletion;ttl
is a property of the secret, not a member of it. Even so, agent should respect it.The text was updated successfully, but these errors were encountered: