| layout | page_title | description |
|---|---|---|
docs |
Vault Agent Template Config |
Vault Agent's Template Config to set Templating Engine behavior |
Template Config configures Vault Agent behavior common to all template stanzas.
For template-specific rendering configuration, refer to the parameters within the
template stanza.
The template_config stanza configures overall default behavior for the
templating engine. Note that template_config can only be defined once, and is
different from the template stanza. Unlike template which focuses on where
and how a specific secret is rendered, template_config contains parameters
affecting how the templating engine as a whole behaves and its interaction with
the rest of Agent. This includes, but is not limited to, program exit behavior.
Other parameters that apply to the templating engine as a whole may be added
over time.
The parameter
error_on_missing_key can be
specified within the template stanza which determines if a template should
error when a key is missing in the secret. When error_on_missing_key is not
specified or set to false and the key to render is not in the secret's
response, the templating engine will ignore it (or render "<no value>") and
continue on with its rendering.
If the desire is to have Agent fail and exit on a missing key, both
template.error_on_missing_key and template_config.exit_on_retry_failure must
be set to true. Otherwise, the templating engine will error and render to its
destination, but agent will not exit and will retry until the key exists or until
the process is terminated.
Note that a missing key from a secret's response is different from a missing or
non-existent secret. The templating engine will always error if a secret is
missing, but will only error for a missing key if error_on_missing_key is set.
Whether Vault Agent will exit when the templating engine errors depends on the
value of exit_on_retry_failure.
The top level template_config block has the following configuration entries:
-
exit_on_retry_failure(bool: false)- This option configures Vault Agent to exit after it has exhausted its number of template retry attempts due to failures. -
static_secret_render_interval(string or integer: 5m)- If specified, configures how often Vault Agent Template should render non-leased secrets such as KV v2. This setting will not change how often Vault Agent Templating renders leased secrets.