vault_agent_token_file should not disable renew_token

[atheiman]

Recently in #1182 vault_agent_token_file config was added. This is great and a feature we have been excited for!

However, I don't understand why specifying reading the vault token from a file other than ~/.vault-token changes whether consul-template renews the vault token.

From the readme, there is a config option for renew_token, can that be honored in combination with vault_agent_token_file?

  # This tells Consul Template to load the Vault token from the contents of a file.
  # If this field is specified:
  # - Consul Template will not try to renew the Vault token.
  # - Consul Template will periodically stat the file and update the token if it has
  # changed.
  # vault_agent_token_file = "/tmp/vault/agent/token"

  # This option tells Consul Template to automatically renew the Vault token
  # given. If you are unfamiliar with Vault's architecture, Vault requires
  # tokens be renewed at some regular interval or they will be revoked. Consul
  # Template will automatically renew the token at half the lease duration of
  # the token. The default value is true, but this option can be disabled if
  # you want to renew the Vault token using an out-of-band process.
  #
  # Note that secrets specified in a template (using {{secret}} for example)
  # are always renewed, even if this option is set to false. This option only
  # applies to the top-level Vault token itself.
  renew_token = true

[joliver]

Per my understanding, Vault Agent now assumes the responsibility to renew the token and then it will write that token out to the specific file.

That said, it can still be configured to where Vault Agent runs, gets a token, and then exists. In that circumstance, you would write out to a regular vault token file and have renew_token = true.

[atheiman]

When I read the code at https://github.com/hashicorp/consul-template/blob/master/config/vault.go#L261 I understand it as if vault_agent_token_file is specified renew_token is forced to false. I think that line could just be removed and the user is expected to set each config value appropriately.

[primeroz]

However, I don't understand why specifying reading the vault token from a file other than ~/.vault-token changes whether consul-template renews the vault token.

In my case with 0.20.0 is not reading from $HOME/.vault-token anymore (0.19.5 was) so unless the token is exposed as an environment variable there is no way to get consul-template to renew the token

this is very bad in my usecase since i was using it with 0.19.5 , which reads the vault token from the home directory, and using https://github.com/sethvargo/vault-kubernetes-authenticator for grabbing the initial token from vault

I undertand the use case when using vault agent mode, but breaking other use cases is not great.

Could we restore the use of the renew-token flag when the vault_agent_token_file and only default to FALSE rather than enforce it ?

[eikenb]

Hey @atheiman, I'm new at Hashi and am just taking over as maintainer for this project. As such this looks like it might be a some low hanging fruit to get into my first release. But I'd like to be sure I understand the desire here... would you say you agree with @primeroz's summary of what is desired?

Could we restore the use of the renew-token flag when the vault_agent_token_file (is set) and only default to FALSE rather than enforce it ?

Or, if not, could you give a simple statement as to what you would desire the functionality to be?

Thanks.

[atheiman]

I agree with that short summary, tho I think to follow the previous functionality it would default to true. But Im fine with defaulting either way as long as its not enforced to false.

[eikenb]

Great. Thanks!

[devlounge]

I'm trying to use consul-template as a sidecar with BanzaiCloud bankVaults and indeed, 0.20.0 broke everything.
Any idea when this could be fixed ?

[devlounge]

Can we have an update please?

[eikenb]

I'm looking at this now related to #1228 and can follow my comments there.

TLDR; I'm probably going to make it so renew_token=true works with vault_agent_token_file and add back ~/.vault-token as a backward compatibility thing.