Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optionally prevent vault lookup from raising exceptions #13

Open
Magisus opened this issue Nov 29, 2018 · 3 comments · May be fixed by #12
Open

Optionally prevent vault lookup from raising exceptions #13

Magisus opened this issue Nov 29, 2018 · 3 comments · May be fixed by #12

Comments

@Magisus
Copy link

Magisus commented Nov 29, 2018

If the lookup function throws an exception when used within an agent-side function (Deferred type), the whole catalog application will fail. This may not always be desirable, so we should allow the user to pass a flag disabling exceptions. When exceptions are disabled, the lookup function should log the error and return nil, instead of throwing.

@Magisus
Copy link
Author

Magisus commented Nov 29, 2018

I've opened #12 for this, but we are still looking for feedback on whether this is something people would actually use. If not, feel free to close this and the associated PR. No need to add complexity that won't be used.

@voiprodrigo
Copy link

This would be a very welcome feature. I'm working on setting up a Vault cluster, and plan to start using this module soon to deploy secrets in templates. If there's an issue reaching the Vault cluster, in most cases I prefer for the catalog application to proceed without interruption and leave the target file unmodified. However, if this would require to define a default value, then this feature would not work for me. Anything else than the secret itself would break whatever needs the secret, and that can't happen.

@firstnevyn
Copy link
Contributor

The problem as I see it is at the point where vault_lookup is running... you must return a value in most cases. because it's on the assignment side of a => in some kind of resource. the main compile already ran on the master/compiler and the resource is in the catalogue it's just the content value that's going to be interpolated by the agent side deferred function I think this might be a good idea but. having nil instead of (webserver private cert) or (integration credentials) is going to break a working service

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants