Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unable to return specific versions of a secret path in kv v2 in template, seems to only return latest version #1350

Closed
caleyg opened this issue Mar 1, 2020 · 2 comments · Fixed by #1354
Closed

unable to return specific versions of a secret path in kv v2 in template, seems to only return latest version #1350

caleyg opened this issue Mar 1, 2020 · 2 comments · Fixed by #1354
Assignees
@eikenb
Labels
bug vault Related to the Vault integration
Milestone
0.25.0

Comments

@caleyg
Copy link

caleyg commented Mar 1, 2020
edited
Loading

Consul Template version

consul-template v0.24.1 (58aa6c6)

Vault version

vault 0.10.4

Configuration

{"consul": {"ssl": [{"ca_cert": "/etc/ssl/certs/ca-certificates.crt"}, {"verify": true}]}, "vault": [{"ssl": [{"ca_cert": "/etc/ssl/certs/ca-certificates.crt"}, {"verify": true}]}, {"renew_token": true}], "exec": {"env": [{"custom": "PATH=$PATH:$PWD"}]}, "template": [{"source": "/etc/some_other_file.yml.ctmpl"}, {"destination": "/etc/some_other_file.yml"}, {"error_on_missing_key": true}, {"command_timeout": "300s"}], "log_level": "debug"}
{"consul": {"ssl": [{"ca_cert": "/etc/ssl/certs/ca-certificates.crt"}, {"verify": true}]}, "vault": [{"ssl": [{"ca_cert": "/etc/ssl/certs/ca-certificates.crt"}, {"verify": true}]}, {"renew_token": true}], "exec": {"env": [{"custom": "PATH=$PATH:$PWD"}]}, "template": [{"source": "/app/index.html.ctmpl"}, {"destination": "/app/index.html"}, {"error_on_missing_key": true}, {"command_timeout": "300s"}], "log_level": "debug"}

Raw Template

{{ $service_name := `foo` }}
{{ $stack_name :=  `bar` }}
{{ $vault_path := ( print "secret_v2/" $stack_name "/" $service_name ) }}
secret4_latest: {{ with secret ( print $vault_path "/secret4" ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret4_v1: {{ with secret ( print $vault_path "/secret4?version=" 1 ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret4_v2: {{ with secret ( print $vault_path "/secret4?version=" 2 ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret4_v3: {{ with secret ( print $vault_path "/secret4?version=" 3 ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret4_v4: {{ with secret ( print $vault_path "/secret4?version=" 4 ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret5_latest: {{ with secret ( print $vault_path "/secret5" ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret5_v1: {{ with secret ( print $vault_path "/secret5" "?version=1" ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret5_v2: {{ with secret ( print $vault_path "/secret5" "?version=2" ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret5_v3: {{ with secret ( print $vault_path "/secret5" "?version=3" ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}
secret5_v4: {{ with secret ( print $vault_path "/secret5" "?version=4" ) }} {{ range $k, $v := .Data.data }} {{ $v }} {{ end }}{{ end }}

Rendered template

secret4_latest:   somesecret4value_version3
secret4_v1:   somesecret4value_version3
secret4_v2:   somesecret4value_version3
secret4_v3:   somesecret4value_version3
secret4_v4:   somesecret4value_version3
secret5_latest:   somesecret5value_version3
secret5_v1:   somesecret5value_version3
secret5_v2:   somesecret5value_version3
secret5_v3:   somesecret5value_version3
secret5_v4:   somesecret5value_version3

Actual versioned vault secrets

// latest version of secrets (zero)
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret5
{"request_id":"e6d6e182-5c0e-11ea-8b5d-6771cd7e39d5","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version3"},"metadata":{"created_time":"2020-03-01T21:30:18.255164372Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret4
{"request_id":"85d3a420-74ac-41de-357b-ea4a6306a690","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret4key":"somesecret4value_version3"},"metadata":{"created_time":"2020-03-01T21:24:30.534224223Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret5?version=0
{"request_id":"0de681f1-eb2f-5b8f-cc93-ee19ee2ba246","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version3"},"metadata":{"created_time":"2020-03-01T21:30:18.255164372Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret4?version=0
{"request_id":"f7a6afc4-5c0e-11ea-9664-a7309391da25","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret4key":"somesecret4value_version3"},"metadata":{"created_time":"2020-03-01T21:24:30.534224223Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}


curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret4?version=0
{"request_id":"25392fde-45b5-27b7-37fa-f32fbb137771","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret4key":"somesecret4value_version3"},"metadata":{"created_time":"2020-03-01T21:24:30.534224223Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret4?version=1
{"request_id":"57e6aedc-9406-07a4-e7bc-8fd396f8f823","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret4key":"somesecret4value_version1"},"metadata":{"created_time":"2020-03-01T21:23:50.76118051Z","deletion_time":"","destroyed":false,"version":1}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret4?version=3
{"request_id":"2994b83c-d742-807a-aa3e-0d5d88ba6f60","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret4key":"somesecret4value_version2"},"metadata":{"created_time":"2020-03-01T21:24:17.868740798Z","deletion_time":"","destroyed":false,"version":3}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret4?version=4
{"request_id":"8ef9e5d9-d724-e650-03a8-8477a17f15c4","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret4key":"somesecret4value_version3"},"metadata":{"created_time":"2020-03-01T21:24:30.534224223Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret5?version=0
{"request_id":"36673da2-1b0d-510e-1333-36a088637dda","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version3"},"metadata":{"created_time":"2020-03-01T21:30:18.255164372Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret5?version=1
{"request_id":"5b014412-22be-b8f6-23eb-f245b8e6ab2e","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version1"},"metadata":{"created_time":"2020-03-01T21:28:11.184234432Z","deletion_time":"","destroyed":false,"version":1}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/secret5?version=2
{"request_id":"8fe0e3f7-3918-57a4-5a72-1e5293a7d418","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version1"},"metadata":{"created_time":"2020-03-01T21:29:33.398767611Z","deletion_time":"","destroyed":false,"version":2}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret5?version=3
{"request_id":"6ba62ce5-e788-4c9d-85f2-2f13341979f9","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version2"},"metadata":{"created_time":"2020-03-01T21:29:51.385471519Z","deletion_time":"","destroyed":false,"version":3}},"wrap_info":null,"warnings":null,"auth":null}
curl --header "X-Vault-Token: *** " https://vault/v1/secret_v2/data/secret5?version=4
{"request_id":"7e675c49-4a00-c268-ca91-631061a8e763","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"somesecret5key":"somesecret5value_version3"},"metadata":{"created_time":"2020-03-01T21:30:18.255164372Z","deletion_time":"","destroyed":false,"version":4}},"wrap_info":null,"warnings":null,"auth":null}

Vault backends

vault secrets list -detailed
Path                                         Plugin       Accessor              Default TTL    Max TTL     Force No Cache    Replication    Seal Wrap    Options                                             Description                                                UUID
----                                         ------       --------              -----------    -------     --------------    -----------    ---------    -------                                             -----------                                                ---
secret/                                      kv           kv_foo                system         system      false             replicated     false        map[version:1]                                      key/value secret storage                                   n/a
secret_v2/                                   kv           kv_bar                system         system      false             replicated     false        map[version:2]                                      KV version 2 secret path                                   n/a
sys/                                         system       system_baz            n/a            n/a         false             replicated     false        map[]                                               system endpoints used for control, policy and debugging    n/a

Command

consul-template -config /tmp/consul-config.json -template=/app/index.html.ctmpl:/app/index.html -exec=python3 test-server.py

Debug output

3/1/2020 4:29:06 PMLaunching application with the following: consul-template -config /tmp/consul-config.json -template=/etc/some_other_file.yml.ctmpl:/etc/some_other_file.yml -template=/app/index.html.ctmpl:/app/index.html -exec='python3 test-server.py' .
3/1/2020 4:29:06 PM2020/03/01 22:29:06.248993 [INFO] consul-template v0.24.1 (c54d0abc)
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249011 [INFO] (runner) creating new runner (dry: false, once: false)
Unknown Date
Invalid Date Invalid Date2020/03/01 22:29:06.249349 [DEBUG] (runner) final config: {"Consul":{"Address":"","Auth":{"Enabled":false,"Username":"","Password":""},"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":true,"Key":"","ServerName":"","Verify":true},"Token":"","Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":5,"TLSHandshakeTimeout":10000000000}},"Dedup":{"Enabled":false,"MaxStale":2000000000,"Prefix":"consul-template/dedup/","TTL":15000000000},"Exec":{"Command":"python3 test-server.py","Enabled":true,"Env":{"Blacklist":[],"Custom":["PATH=$PATH:$PWD"],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":0,"Timeout":0},"KillSignal":2,"LogLevel":"debug","MaxStale":2000000000,"PidFile":"","ReloadSignal":1,"Syslog":{"Enabled":false,"Facility":"LOCAL0"},"Templates":[{"Backup":false,"Command":"","CommandTimeout":30000000000,"Contents":"","CreateDestDirs":true,"Destination":"/etc/some_other_file.yml","ErrMissingKey":false,"Exec":{"Command":"","Enabled":false,"Env":{"Blacklist":[],"Custom":[],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":0,"Timeout":30000000000},"Perms":0,"Source":"/etc/some_other_file.yml.ctmpl","Wait":{"Enabled":false,"Min":0,"Max":0},"LeftDelim":"","RightDelim":"","FunctionBlacklist":null,"SandboxPath":""},{"Backup":false,"Command":"","CommandTimeout":30000000000,"Contents":"","CreateDestDirs":true,"Destination":"/app/index.html","ErrMissingKey":false,"Exec":{"Command":"","Enabled":false,"Env":{"Blacklist":[],"Custom":[],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":0,"Timeout":30000000000},"Perms":0,"Source":"/app/index.html.ctmpl","Wait":{"Enabled":false,"Min":0,"Max":0},"LeftDelim":"","RightDelim":"","FunctionBlacklist":null,"SandboxPath":""}],"Vault":{"Address":"https://vault","Enabled":true,"Namespace":"","RenewToken":true,"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":true,"Key":"","ServerName":"","Verify":true},"Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":5,"TLSHandshakeTimeout":10000000000},"UnwrapToken":false},"Wait":{"Enabled":false,"Min":0,"Max":0},"Once":false}
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249423 [INFO] (runner) creating watcher
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249452 [DEBUG] (watcher) adding vault.token
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249792 [INFO] (runner) starting
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249810 [DEBUG] (runner) running initial templates
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249814 [DEBUG] (runner) initiating run
3/1/2020 4:29:06 PM2020/03/01 22:29:06.249860 [DEBUG] (runner) checking template 889e59c7dc5fd172e484df2a9aa82a53
3/1/2020 4:29:06 PM2020/03/01 22:29:06.414839 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:06 PM2020/03/01 22:29:06.548189 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:06 PM2020/03/01 22:29:06.665238 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:06 PM2020/03/01 22:29:06.666316 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:06 PM2020/03/01 22:29:06.758110 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064059 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064138 [DEBUG] (runner) missing data for 2 dependencies
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064166 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret4)
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064175 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret5)
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064182 [DEBUG] (runner) add used dependency vault.read(secret_v2/secret4) to missing since isLeader but do not have a watcher
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064190 [DEBUG] (runner) add used dependency vault.read(secret_v2/secret5) to missing since isLeader but do not have a watcher
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064202 [DEBUG] (runner) was not watching 2 dependencies
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064215 [DEBUG] (watcher) adding vault.read(secret_v2/secret4)
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064228 [DEBUG] (watcher) adding vault.read(secret_v2/secret5)
3/1/2020 4:29:08 PM2020/03/01 22:29:08.064238 [DEBUG] (runner) checking template 2d4fc72b29bb3818646579cfc49f5a8a
3/1/2020 4:29:08 PM2020/03/01 22:29:08.200219 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:08 PM2020/03/01 22:29:08.319001 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:08 PM2020/03/01 22:29:08.435853 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751652 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751666 [DEBUG] (runner) missing data for 6 dependencies
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751690 [DEBUG] (runner) missing dependency: vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751698 [DEBUG] (runner) missing dependency: vault.read(secret_v2/)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751702 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret2)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751705 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret3)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751708 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret4)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751712 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret5)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751721 [DEBUG] (runner) add used dependency vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test) to missing since isLeader but do not have a watcher
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751728 [DEBUG] (runner) add used dependency vault.read(secret_v2/) to missing since isLeader but do not have a watcher
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751735 [DEBUG] (runner) add used dependency vault.read(secret_v2/secret2) to missing since isLeader but do not have a watcher
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751740 [DEBUG] (runner) add used dependency vault.read(secret_v2/secret3) to missing since isLeader but do not have a watcher
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751760 [DEBUG] (runner) was not watching 4 dependencies
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751770 [DEBUG] (watcher) adding vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751787 [DEBUG] (watcher) adding vault.read(secret_v2/)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751797 [DEBUG] (watcher) adding vault.read(secret_v2/secret2)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751804 [DEBUG] (watcher) adding vault.read(secret_v2/secret3)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751813 [DEBUG] (runner) diffing and updating dependencies
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751817 [DEBUG] (runner) watching 7 dependencies
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751827 [DEBUG] (runner) receiving dependency vault.read(secret_v2/secret4)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751852 [DEBUG] (runner) receiving dependency vault.read(secret_v2/secret5)
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751860 [DEBUG] (runner) initiating run
3/1/2020 4:29:09 PM2020/03/01 22:29:09.751864 [DEBUG] (runner) checking template 889e59c7dc5fd172e484df2a9aa82a53
3/1/2020 4:29:09 PM2020/03/01 22:29:09.877737 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:09 PM2020/03/01 22:29:09.991958 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:10 PM2020/03/01 22:29:10.105435 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:10 PM2020/03/01 22:29:10.106520 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:10 PM2020/03/01 22:29:10.196693 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:11 PM2020/03/01 22:29:11.511953 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:11 PM2020/03/01 22:29:11.511982 [DEBUG] (runner) rendering "/etc/some_other_file.yml.ctmpl" => "/etc/some_other_file.yml"
3/1/2020 4:29:11 PM2020/03/01 22:29:11.514806 [INFO] (runner) rendered "/etc/some_other_file.yml.ctmpl" => "/etc/some_other_file.yml"
3/1/2020 4:29:11 PM2020/03/01 22:29:11.514821 [DEBUG] (runner) checking template 2d4fc72b29bb3818646579cfc49f5a8a
3/1/2020 4:29:11 PM2020/03/01 22:29:11.632061 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:11 PM2020/03/01 22:29:11.751210 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:11 PM2020/03/01 22:29:11.918304 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207635 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207654 [DEBUG] (runner) missing data for 4 dependencies
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207672 [DEBUG] (runner) missing dependency: vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207677 [DEBUG] (runner) missing dependency: vault.read(secret_v2/)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207681 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret2)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207685 [DEBUG] (runner) missing dependency: vault.read(secret_v2/secret3)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207702 [DEBUG] (runner) missing data for 4 dependencies
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207707 [DEBUG] (runner) diffing and updating dependencies
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207712 [DEBUG] (runner) vault.read(secret_v2/secret5) is still needed
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207716 [DEBUG] (runner) vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test) is still needed
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207720 [DEBUG] (runner) vault.read(secret_v2/) is still needed
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207724 [DEBUG] (runner) vault.read(secret_v2/secret2) is still needed
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207728 [DEBUG] (runner) vault.read(secret_v2/secret3) is still needed
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207731 [DEBUG] (runner) vault.read(secret_v2/secret4) is still needed
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207735 [DEBUG] (runner) watching 7 dependencies
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207743 [DEBUG] (runner) receiving dependency vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207751 [DEBUG] (runner) receiving dependency vault.read(secret_v2/secret2)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207757 [DEBUG] (runner) receiving dependency vault.read(secret_v2/secret3)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207763 [DEBUG] (runner) receiving dependency vault.read(secret_v2/)
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207767 [DEBUG] (runner) initiating run
3/1/2020 4:29:13 PM2020/03/01 22:29:13.207771 [DEBUG] (runner) checking template 889e59c7dc5fd172e484df2a9aa82a53
3/1/2020 4:29:13 PM2020/03/01 22:29:13.325499 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:13 PM2020/03/01 22:29:13.448906 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:13 PM2020/03/01 22:29:13.563325 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:13 PM2020/03/01 22:29:13.564368 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:13 PM2020/03/01 22:29:13.671948 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:16 PM2020/03/01 22:29:16.205056 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:16 PM2020/03/01 22:29:16.205085 [DEBUG] (runner) rendering "/etc/some_other_file.yml.ctmpl" => "/etc/some_other_file.yml"
3/1/2020 4:29:16 PM2020/03/01 22:29:16.207015 [INFO] (runner) rendered "/etc/some_other_file.yml.ctmpl" => "/etc/some_other_file.yml"
3/1/2020 4:29:16 PM2020/03/01 22:29:16.207027 [DEBUG] (runner) checking template 2d4fc72b29bb3818646579cfc49f5a8a
3/1/2020 4:29:16 PM2020/03/01 22:29:16.328847 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:16 PM2020/03/01 22:29:16.441012 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:16 PM2020/03/01 22:29:16.552654 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:19 PM2020/03/01 22:29:19.110185 [DEBUG] (cli) receiving signal "child exited"
3/1/2020 4:29:19 PM2020/03/01 22:29:19.110245 [DEBUG] (runner) rendering "/app/index.html.ctmpl" => "/app/index.html"
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112184 [INFO] (runner) rendered "/app/index.html.ctmpl" => "/app/index.html"
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112206 [DEBUG] (runner) diffing and updating dependencies
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112215 [DEBUG] (runner) vault.read(secret_v2/secret5) is still needed
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112220 [DEBUG] (runner) vault.read(secret_v2/manually-defined-stack-name-test/manually-defined-service-name-test) is still needed
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112224 [DEBUG] (runner) vault.read(secret_v2/) is still needed
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112227 [DEBUG] (runner) vault.read(secret_v2/secret2) is still needed
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112232 [DEBUG] (runner) vault.read(secret_v2/secret3) is still needed
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112236 [DEBUG] (runner) vault.read(secret_v2/secret4) is still needed
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112241 [DEBUG] (runner) watching 7 dependencies
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112245 [DEBUG] (runner) all templates rendered
3/1/2020 4:29:19 PM2020/03/01 22:29:19.112290 [INFO] (child) spawning: python3 test-server.py

Expected behavior

I expect to be able to target a specific version of a secret at any point in my template for the same secret path in the same template and return that value.

Actual behavior

Instead it seems the template gets pinned on a specific version of a secret. I have tried this in multiple templates using different versions, and it always version 0 that seems to get returned...

Steps to reproduce

  1. create some versioned secrets in vault using the KV version 2 secret path backend
  2. attempt to render a template using versioned secret references
  3. profit
@caleyg caleyg changed the title returning specific versions of a secret path in kv2 unable to return specific versions of a secret path in kv v2 in template, seems to only return latest version Mar 1, 2020
@eikenb eikenb added bug vault Related to the Vault integration labels Mar 2, 2020
@eikenb eikenb self-assigned this Mar 4, 2020
@eikenb eikenb added this to the 0.25.0 milestone Mar 4, 2020
@eikenb
Copy link
Contributor

eikenb commented Mar 5, 2020
edited
Loading

Hey @caleyg, I think I've figured out what is going on here.

Consul-template caches the results it gets (from vault or consul) so that it doesn't have to re-fetch all of them each time one of them changes (when it needs to re-render the template). The problem is that the cache is keyed off the path of the secret, without the version. So the cache gets initialized with whatever version the first request is for and the rest then just return that value.

The fix here is obviously to include the version info in the key for the cache. I'll have to see if it is that simple in practice though. I'm looking into it.

@eikenb eikenb mentioned this issue Mar 5, 2020
Merged
@caleyg
Copy link
Author

caleyg commented Mar 6, 2020

Thank you so much for investigating and your time @eikenb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eikenb eikenb

Labels
bug vault Related to the Vault integration
Projects
None yet
Milestone
0.25.0
Development

Successfully merging a pull request may close this issue.

fix bug looking up versioned vault secrets hashicorp/consul-template
2 participants
@eikenb @caleyg