envconsul vs consul-template for setting environment variables

[SunSparc]

I am automating server rollout. We are wanting to store config values for all of our applications in Vault. In order to make this feasible I need to be able to get the values from Vault into the environment when a server is being provisioned. Then when the applications are installed and start running the config values are readily available for them.

I first found consul-template. It is a wonderful tool for watching config values and updating them as needed. However, consul-template only seems to deal with files.

I then found envconsul. I thought I had found a perfect solution until I realized that envconsul is not persisting values into my environment. Instead it is sending values into a child process, which values then disappear after the child process terminates.

I suppose I could have consul-template retrieve the values I need, put them into a config file that I then source to persist the value into the environment. This would then mean the values are in files on the filesystem which somewhat defeats the point of Vault.

I am still thinking this through and looking for other ideas.

Thanks,

Jonathan

[SunSparc]

If I go the consul-template route I could source a config file into the environment, then nuke the config file so that it does not remain on the system.

Or I could go through each of the install scripts, find where each app is being launched and prepend "envconsul -config="/etc/envconsul.hcl" before the command that launches the apps for the first time.

[David Adams]

I'm confused about what your goals are. If you don't want any persistence, envconsul is the way to go. If you don't a wrapper around your programs, then envconsul is not a possible solution.

On Thu, Mar 16, 2017 at 1:20 PM, SunSparc <jona...@nacnud.com> wrote:

If I go the consul-template route I could source a config file into the environment, then nuke the config file so that it does not remain on the system.

Or I could go through each of the install scripts, find where each app is being launched and prepend "envconsul -config="/etc/envconsul.hcl" before the command that launches the apps for the first time.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/db18a1b3-993d-4e02-a1a9-6a915ee7df8d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Nathan Basanese]

OK. It sounds like you were looking for a way to get configuration data to your application without leaving unnecessary traces on the system.

Nuking the config file would work.

But also, you could read values into your application from Vault directly, using Vault's ReST API.

I'm curious, it's been some time since you asked this. What did you end up doing?