b2b25be0ce
* agent/template: add default_lease_duration config * go mod tidy * Add changelog * Fix panic * Add documentation * Change to static_secret_render_interval * Update doc * Update command/agent/template/template.go Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> * Update changelog/11934.txt Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> * Update website/content/docs/agent/template-config.mdx Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
60 lines
2.6 KiB
Plaintext
60 lines
2.6 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Vault Agent Template Config
|
|
description: |-
|
|
Vault Agent's Template Config to set Templating Engine behavior
|
|
---
|
|
|
|
# Vault Agent Template Config
|
|
|
|
Template Config configures Vault Agent behavior common to all `template` stanzas.
|
|
|
|
For template-specific rendering configuration, refer to the parameters within the
|
|
[`template`](/docs/agent/template) stanza.
|
|
|
|
## Functionality
|
|
|
|
The `template_config` stanza configures overall default behavior for the
|
|
templating engine. Note that `template_config` can only be defined once, and is
|
|
different from the `template` stanza. Unlike `template` which focuses on where
|
|
and how a specific secret is rendered, `template_config` contains parameters
|
|
affecting how the templating engine as a whole behaves and its interaction with
|
|
the rest of Agent. This includes, but is not limited to, program exit behavior.
|
|
Other parameters that apply to the templating engine as a whole may be added
|
|
over time.
|
|
|
|
### Interaction between `exit_on_retry_failure` and `error_on_missing_key`
|
|
|
|
The parameter
|
|
[`error_on_missing_key`](/docs/agent/template#error_on_missing_key) can be
|
|
specified within the `template` stanza which determines if a template should
|
|
error when a key is missing in the secret. When `error_on_missing_key` is not
|
|
specified or set to `false` and the key to render is not in the secret's
|
|
response, the templating engine will ignore it (or render `"<no value>"`) and
|
|
continue on with its rendering.
|
|
|
|
If the desire is to have Agent fail and exit on a missing key, both
|
|
`template.error_on_missing_key` and `template_config.exit_on_retry_failure` must
|
|
be set to true. Otherwise, the templating engine will error and render to its
|
|
destination, but agent will not exit and will retry until the key exists or until
|
|
the process is terminated.
|
|
|
|
Note that a missing key from a secret's response is different from a missing or
|
|
non-existent secret. The templating engine will always error if a secret is
|
|
missing, but will only error for a missing key if `error_on_missing_key` is set.
|
|
Whether Vault Agent will exit when the templating engine errors depends on the
|
|
value of `exit_on_retry_failure`.
|
|
|
|
## Configuration
|
|
|
|
The top level `template_config` block has the following configuration entries:
|
|
|
|
- `exit_on_retry_failure` `(bool: false)` - This option configures Vault Agent
|
|
to exit after it has exhausted its number of template retry attempts due to
|
|
failures.
|
|
|
|
- `static_secret_render_interval` `(string or integer: 5m)` - If specified, configures
|
|
how often Vault Agent Template should render non-leased secrets such as KV v2.
|
|
This setting will not change how often Vault Agent Templating renders leased
|
|
secrets.
|