Vault secrets engine: Choose to abort config reloads if secrets cannot be resolved #1439
Open
1 task done
Labels
feature
A PR that adds a feature - used by Release Drafter
Your checklist for this issue
馃毃 Please review the guidelines for contributing to this repository.
Feature Request
When using the Vault secrets engine, if secret placeholders cannot be resolved (invalid secret / vault unavailable / access denied / other reasons) they are replaced with an empty string.
This can have catastrophic consequences, as a working Jenkins instance can suddenly have all it's credentials replaced with empty values if the vault server is not available (e.g. if there is a temporary connectivity issue)
This behaviour is stopping us adopting vault as our configuration as code secrets engine.
If we could enable a flag which aborted configuration reloads rather than continuing with the configuration update, this would resolve our problem.
Other suggestions most welcome!
The text was updated successfully, but these errors were encountered: