-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
agent/auto-auth: add exit_on_err configurable #17091
Conversation
What's the motivation/use case here? And can you clarify in the docs that this applies not just to initial auth, but also any re-auth that occurs once renewal is no longer possible, either due to a renewal failure or the token TTL being reached? |
The motivation here is that auto-auth will continually try to auth indefinitely, even if there's a misconfiguration (role doesn't exist) or the Vault server isn't online. I will update the doc with more information as well, good call out. |
@ncabatoff Updated the doc. Thanks for the suggestion! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Support was added in the Vault agent in hashicorp/vault#17091 Additionally, I tested this on a cluster by adding the `vault.hashicorp.com/agent-auto-auth-exit-on-err: "true"` annotation on a pod, and observing that the agent configuration was: ```json { "auto_auth": { "method": { "type": "kubernetes", "mount_path": "auth/kubernetes", "config": { "role": "internal-app", "token_path": "/var/run/secrets/kubernetes.io/serviceaccount/token" }, "exit_on_err": true }... ```
Support was added in the Vault agent in hashicorp/vault#17091 Additionally, I tested this on a cluster by adding the `vault.hashicorp.com/agent-auto-auth-exit-on-err: "true"` annotation on a pod, and observing that the agent configuration was: ```json { "auto_auth": { "method": { "type": "kubernetes", "mount_path": "auth/kubernetes", "config": { "role": "internal-app", "token_path": "/var/run/secrets/kubernetes.io/serviceaccount/token" }, "exit_on_err": true }... ```
When Agent's auto-auth encounters a problem it will retry indefinitely, regardless of the error. This configurable allows users to specify if Vault should exit on auto-auth error, similar to
exit_on_err
in the caching engine: https://www.vaultproject.io/docs/agent/caching#exit_on_err.At the moment this will exit on any error, but I'm open to only exiting on some errors (such as 400 errors).