feat(agent): add retry configuration for vault agent #10644
Conversation
|
|
command/agent/config/config.go
Outdated
| @@ -40,6 +40,7 @@ type Vault struct { | |||
| ClientCert string `hcl:"client_cert"` | |||
| ClientKey string `hcl:"client_key"` | |||
| TLSServerName string `hcl:"tls_server_name"` | |||
| Retry *Retry `hcl:"retry"` | |||
There was a problem hiding this comment.
The retry behavior in here is specifically for the template server (at least for now) so I'm not entirely convinced that it should live in the vault stanza since this doesn't control retry logic when agent communicates with the server for auto-auth and/or caching.
@HridoyRoy thoughts on making this be a top-level template_retry stanza instead?
There was a problem hiding this comment.
We did think about that, but the existing retry context is under ctv.Vault.Retry = &ctconfig.RetryConfig{Attempts: &ts.testingLimitRetry} and consul-template puts it under the vault section so we kept the same structure location.
As for the auto-auth retry that is a feature we would like to add as well as our use case of vault needs to be fault tolerant of network disconnects both for getting new tokens and template rendering, this MR was the first step.
There was a problem hiding this comment.
Hm, I do agree that "Retry" in the Vault section shouldn't be a configuration parameter that is limited to the consul template use-case. Let me dig into this a bit -- I'll circle back soon.
There was a problem hiding this comment.
Hi @ibspoof @RXC001 , sorry for the delay in circling back!
We'd like to move the Retry stanza into as a top level config named template_retry. ctv is the consul template, so ctv.Vault.Retry can be set to values that exist in a structurally different location in the Vault config. Since this retry functionality is currently limited in scope to the consul-template, we'd want to make that clear with the name and location of the stanza, instead of keeping structural similarity between the consul-template config and the vault config.
Thanks so much!
There was a problem hiding this comment.
Makes sense we had the same discussion in our team. Will get that changed and pushed.
command/agent/config/config.go
Outdated
| @@ -40,6 +40,7 @@ type Vault struct { | |||
| ClientCert string `hcl:"client_cert"` | |||
| ClientKey string `hcl:"client_key"` | |||
| TLSServerName string `hcl:"tls_server_name"` | |||
| Retry *Retry `hcl:"retry"` | |||
There was a problem hiding this comment.
Hi @ibspoof @RXC001 , sorry for the delay in circling back!
We'd like to move the Retry stanza into as a top level config named template_retry. ctv is the consul template, so ctv.Vault.Retry can be set to values that exist in a structurally different location in the Vault config. Since this retry functionality is currently limited in scope to the consul-template, we'd want to make that clear with the name and location of the stanza, instead of keeping structural similarity between the consul-template config and the vault config.
Thanks so much!
|
Moving the Retry stanza to the top level makes sense. I can make that happen. |
RXC001
force-pushed
the
feat/agent/add-retry-configuration
branch
from
6edb667 to
f46580e
Compare
hashicorp#10750) * Move the declaration to a OSS build tag file to not have it collide with ent declarations * Add comment * Remove comment to trigger ci
…om/RXC001/vault into feat/agent/add-retry-configuration
|
This pull request is being automatically deployed with Vercel (learn more). vault-storybook – ./ui🔍 Inspect: https://vercel.com/hashicorp/vault-storybook/ot1pw5ox3 |
…those from consul-template configuration. Also fix some existing config docs that weren't adhering to our conventions.
…those from consul-template configuration. Also fix some existing config docs that weren't adhering to our conventions. (#10911)
…those from consul-template configuration. Also fix some existing config docs that weren't adhering to our conventions. (#10911)
* master: Adds API docs for max_age role parameter of JWT/OIDC auth method (#10916) UI/Database Secrets Engine cleanup (#10949) helper/metricsutil: Prevent potential Ticker leak (#10913) core/expiration: Add backoff jitter to the expiration retries (#10937) Revert "Vault Dependency Upgrades [VAULT-871] (#10903)" (#10939) Vault Dependency Upgrades [VAULT-871] (#10903) Add docs for Agent's template_retry option added in #10644, based on those from consul-template configuration. Also fix some existing config docs that weren't adhering to our conventions. (#10911) UI Database Secrets Engine (MongoDB) (#10655) OpenAPI - Don't panic if field isn't found (#10929) Vault-1403 Switch Expiration Manager to use Fairsharing Backpressure (#1709) (#10932) Update KV Secrets Engine index (#10933)
|
Thanks for this feature. This is awesome! It appears this didn't make it into the 1.6.2 release. Any timeframe of when we can expect this to be part of the GA build? |
It should be included in the upcoming 1.7 release. We don't have an official timeframe that I know of, but if you look at the past cadence of Vault major releases you'll see that we're pretty regular and that 1.7 is likely not far off. |
|
@ncabatoff thanks for the info. Just a heads up that the documentation for these configs are live at https://www.vaultproject.io/docs/agent/template and may cause some confusion for folks trying to figure out why the configs aren't working. |
|
Unfortunately this has been an issue for the longest time. Our docs reflect not the latest available version, but what's in the master branch. There is work ongoing to provide a versioned view of documentation which should fix this, but I don't know when that will be released. Sorry about the confusion in the meantime. |
|
@ncabatoff The docs for this are showing up because the |
|
Hi folks, I'm afraid I have some potentially bad news: I'm reverting this change. In its place, #11113 is adding similar functionality that will apply not just to templating, but also to requests that go through the proxy/cache. I say this is potentially bad news because the new configuration only allows you to specify the number of retries, there's no provision like in template_retry for specifying backoff or max_backoff. Some context for this decision:
In the future we plan to do further work to better unify templating with the rest of Agent, such that we won't have multiple backoff algorithms in use, and we can revisit the decision as to whether to have configuration for backoff intervals. |
Adds retry configuration for Vault Agent. Structure is similar to the
retryblocks found in consul-template