Vault
Vault Agent Template Config
Template Config configures Vault Agent behavior common to all template
stanzas.
For template-specific rendering configuration, refer to the parameters within the
template
stanza.
Functionality
The template_config
stanza configures overall default behavior for the
templating engine. Note that template_config
can only be defined once, and is
different from the template
stanza. Unlike template
which focuses on where
and how a specific secret is rendered, template_config
contains parameters
affecting how the templating engine as a whole behaves and its interaction with
the rest of Agent. This includes, but is not limited to, program exit behavior.
Other parameters that apply to the templating engine as a whole may be added
over time.
Interaction between exit_on_retry_failure
and error_on_missing_key
The parameter
error_on_missing_key
can be
specified within the template
stanza which determines if a template should
error when a key is missing in the secret. When error_on_missing_key
is not
specified or set to false
and the key to render is not in the secret's
response, the templating engine will ignore it (or render "<no value>"
) and
continue on with its rendering.
If the desire is to have Agent fail and exit on a missing key, both
template.error_on_missing_key
and template_config.exit_on_retry_failure
must
be set to true. Otherwise, the templating engine will error and render to its
destination, but agent will not exit and will retry until the key exists or until
the process is terminated.
Note that a missing key from a secret's response is different from a missing or
non-existent secret. The templating engine will always error if a secret is
missing, but will only error for a missing key if error_on_missing_key
is set.
Whether Vault Agent will exit when the templating engine errors depends on the
value of exit_on_retry_failure
.
Configuration
The top level template_config
block has the following configuration entries:
exit_on_retry_failure
(bool: false)
- This option configures Vault Agent to exit after it has exhausted its number of template retry attempts due to failures.static_secret_render_interval
(string or integer: 5m)
- If specified, configures how often Vault Agent Template should render non-leased secrets such as KV v2. This setting will not change how often Vault Agent Templating renders leased secrets.