Optionally prevent vault lookup from raising exceptions #13
Comments
|
I've opened #12 for this, but we are still looking for feedback on whether this is something people would actually use. If not, feel free to close this and the associated PR. No need to add complexity that won't be used. |
|
This would be a very welcome feature. I'm working on setting up a Vault cluster, and plan to start using this module soon to deploy secrets in templates. If there's an issue reaching the Vault cluster, in most cases I prefer for the catalog application to proceed without interruption and leave the target file unmodified. However, if this would require to define a default value, then this feature would not work for me. Anything else than the secret itself would break whatever needs the secret, and that can't happen. |
|
The problem as I see it is at the point where vault_lookup is running... you must return a value in most cases. because it's on the assignment side of a => in some kind of resource. the main compile already ran on the master/compiler and the resource is in the catalogue it's just the content value that's going to be interpolated by the agent side deferred function I think this might be a good idea but. having nil instead of (webserver private cert) or (integration credentials) is going to break a working service |
If the lookup function throws an exception when used within an agent-side function (Deferred type), the whole catalog application will fail. This may not always be desirable, so we should allow the user to pass a flag disabling exceptions. When exceptions are disabled, the lookup function should log the error and return nil, instead of throwing.
The text was updated successfully, but these errors were encountered: