hashicorp
Consul template does not appear to support writing vault kv path specific metadata
Consul Template version
consul-template v0.29.0 ()
Configuration
{{ secret "kv/metadata/example/path" "max_versions=1" }}
Command
consul-template --log-level debug --once --dry --template ver.tpl
Debug output
2022-07-08T20:07:01.554-0500 [DEBUG] (runner) missing dependency: vault.write(kv/metadata/example/path -> f86bd526)
2022-07-08T20:07:01.554-0500 [DEBUG] (runner) add used dependency vault.write(kv/metadata/example/path -> f86bd526) to missing since isLeader but do not have a watcher
2022-07-08T20:07:01.554-0500 [DEBUG] (runner) was not watching 1 dependencies
2022-07-08T20:07:01.554-0500 [DEBUG] (watcher) adding vault.write(kv/metadata/example/path -> f86bd526)
2022-07-08T20:07:01.554-0500 [DEBUG] (runner) diffing and updating dependencies
2022-07-08T20:07:01.554-0500 [DEBUG] (runner) watching 2 dependencies
2022-07-08T20:07:03.678-0500 [WARN] (view) vault.write(kv/metadata/example/path -> f86bd526): no secret exists at kv/metadata/example/path (retry attempt 1 after "250ms")
<...snip...>
Expected behavior
Allow setting KV path specific metadata, such as max_versions of a kv path
Actual behavior
It reports that no secret exists at this path, even though one does.
Steps to reproduce
Comparison by vault CLI:
# Vault read at that path is possible:
> vault read kv/metadata/example/path
Key Value
--- -----
cas_required false
created_time 2022-07-07T23:22:58.966547179Z
current_version 2
delete_version_after 0s
max_versions 0
oldest_version 0
updated_time 2022-07-08T01:55:01.577554655Z
versions map[1:map[created_time:2022-07-07T23:22:58.966547179Z deletion_time: destroyed:false] 2:map[created_time:2022-07-08T01:55:01.577554655Z deletion_time: destroyed:false]]
# Vault write at that path is possible:
> vault write kv/metadata/example/path max_versions=1
Success! Data written to: kv/metadata/example/path
# Verify that max_versions has been updated:
> vault read kv/metadata/example/path
Key Value
--- -----
cas_required false
created_time 2022-07-07T23:22:58.966547179Z
current_version 2
delete_version_after 0s
max_versions 1
oldest_version 0
updated_time 2022-07-08T01:55:01.577554655Z
versions map[1:map[created_time:2022-07-07T23:22:58.966547179Z deletion_time: destroyed:false] 2:map[created_time:2022-07-08T01:55:01.577554655Z deletion_time: destroyed:false]]
References
Vault KV write support was fixed up here for the "data" aspect of a kv path, but it appears that the "metadata" aspect was also not fixed up:
- https://github.com/hashicorp/consul-template/issues/1252
Hey @johnalotoski, thanks for filing this.
The secret template function wraps the KV2 API endpoints for reading and writing (/secret/data/:path). The metadata is written via a separate KV configuration API call (/secret/config). While I think it'd be possible to override secret with yet another behavior, I'd prefer to keep that separate.
Basically I think this is a feature request to add a new template function to configure the KV engine (and maybe other engines?).
Hi @eikenb. KV metadata can be set with global config defaults, but each KV path can also have its own configured metadata. For my use case, a new template function feature providing global scope KV config is not what I'm looking for (although in the future I might use that). I'm looking to selectively configure (write) KV path metadata which would override the global metadata config defaults.
Read support for KV path specific metadata was already added due to this issue and related PR. It's just the write support that seems to be lacking AFAICT.
The /secret/config API you mention for metadata write is for KV metadata global config.
What this issue is looking for is path specific metadata write capability using the POST /secret/metadata/:path API (doc here)
Presumably the read/write support for kv selective metadata would come from the same pattern, and since the read support is already functional in this template pattern, this would seem like an intuitive place for the write support to go as well.