consul-template icon indicating copy to clipboard operation
consul-template copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

consul-template overrides CONSUL_HTTP_SSL env variable in exec

Open sirmax123 opened this issue 7 years ago • 3 comments

Consul Template version

consul-template -v
consul-template v0.19.0 (33b34b3)

Configuration

server> CONSUL_HTTP_SSL=true consul-template -once -template f.ctpl:res.ctp  -exec "env" | grep "CONSUL_HTTP_SSL"
CONSUL_HTTP_SSL=true
CONSUL_HTTP_SSL=false
CONSUL_HTTP_SSL_VERIFY=true

f.ctpl is empty file (no need to render)

Expected behavior

According to doc: https://github.com/hashicorp/consul-template#command-environment I see: These environment variables are exported with their current values

So I expect CONSUL_HTTP_SSL is NOT changed if it is already set

Actual behavior

CONSUL_HTTP_SSL was chaned from true to false

Additional info

I use consul-template running another consul templtae:

export CONSUL_ADDRESS=server:443
export CONSUL_HTTP_SSL=true

 consul-template -once -template file.ctpl:config.conf  -exec "some-script.sh"

and some-script.sh called consul-template to render another configs and failed because trying to use http instead of https Output of inner consul-template call looks like:

10 [WARN] (view) kv.block(some-block): Get http://consul-server:443/v1/kv/...

sirmax123 avatar Feb 07 '18 15:02 sirmax123

It looks like the 2 SSL environment variables are set every time based on the configuration options.

[~]grep CONSUL_HTTP_SSL runner.go
    m["CONSUL_HTTP_SSL"] = strconv.FormatBool(config.BoolVal(r.config.Consul.SSL.Enabled))
    m["CONSUL_HTTP_SSL_VERIFY"] = strconv.FormatBool(config.BoolVal(r.config.Consul.SSL.Verify))

So if you set them in the a config file...

consul {          
    ssl {
        enabled = true
        verify = false
    }
}

You will get the set output. Without setting the options has you get the defaults values.

Without config...

[~]env consul-template -once -template f.ctpl:res.ctp -exec "env" | grep CONSUL
CONSUL_HTTP_SSL=false
CONSUL_HTTP_SSL_VERIFY=true

With config...

[~]consul-template -once -template f.ctpl:res.ctp -exec "env" | grep CONSUL
CONSUL_HTTP_SSL_VERIFY=true
CONSUL_HTTP_SSL=false

eikenb avatar Jun 13 '19 04:06 eikenb

So this is either a documentation issue and that should be clarified in that section or the behavior should change to have the defaults reflect existing environmental setting if present.

I'm leaning towards just fixing the documentation as that wouldn't change behavior. But if anyone wants to argue the case for the altered behavior, I'll be happy to listen.

eikenb avatar Jun 13 '19 04:06 eikenb

I'd argue the behaviour should be altered so either all CONSUL_ variables are reflected in the defaults or none of them are (as CONSUL_ADDR does seem to be passed through)

jsw1993 avatar May 25 '22 12:05 jsw1993