Changing destination file user and group is not working

[voanhduy1512]

Sorry to report issue against unreleased version, but I have been waiting for this feature for a long time. Currently I am using some complex systemd service + bash script that I hope I can remove if this feature works properly in consul-template

Consul Template version

Dev build at 0012f40

Configuration

key.tmpl

{{ with secret "pki/issue/example-dot-com" "common_name=test.example.com" "alt_names=localhost" "ip_sans=127.0.0.1" "ttl=7d" }}
{{ .Data.private_key }}
{{ end }}

cert.tmpl

{{ with secret "pki/issue/example-dot-com" "common_name=test.example.com" "alt_names=localhost" "ip_sans=127.0.0.1" "ttl=7d" }}
{{ .Data.certificate }}
{{ end }}

config.hcl

vault {
  address = "http://127.0.0.1:8200"
  renew_token = false
  ssl {
     enabled = false
   }
 }
template {
  user = "myusername"
  group = "users"
  source = "key.tmpl"
  destination = "key.pem"
}
template {
  user = "myusername"
  group = "users"
  source = "cert.tmpl"
  destination = "cert.pem"
}

Command

consul-template -config config.hcl

Expected behavior

key.pem and cert.pem should be created with correct user myusername and group users

Actual behavior

The files are created with same user and group of the account running consul-template.

I thought it could be a permission issue so I tried running it with:

• CAP_CHOWN CAP_FOWNER capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html)
• root account

but the problem still happened.

[igor-nikiforov]

I have exactly the same case and can confirm that user and group does not work as expected with this scenario.

[eikenb]

Hey @voanhduy1512, thanks for filing this (and the related PR/fix).

Is including this in 0.29.0 enough or will anyone need a 0.28.2 bugfix release with this?

[voanhduy1512]

Thanks for checking, including this in 0.29.0 is enough for me, I don't need a bugfix release for this.