Allow auto_auth with templates without specifying a sink (#8812)

For situations where you want the Vault agent to handle one or more templates but do not require the acquired credentials elsewhere. Modify the logic in SyncServer so that if there are no sinks, ignore any new credentials. Since SyncServer is responsible for shutting down the agent, make sure it still properly shuts down in this new situation. Solves #7988
2025-11-02 11:38:02 +00:00 · 2020-05-26 13:52:14 -04:00
parent f425d5ba37
commit f31092e7ad
10 changed files with 240 additions and 51 deletions
--- a/command/agent/config/config_test.go
+++ b/command/agent/config/config_test.go
@@ -254,6 +254,13 @@ func TestLoadConfigFile_Bad_AutoAuth_Wrapped_Multiple_Sinks(t *testing.T) {
 	}
 }

+func TestLoadConfigFile_Bad_AutoAuth_Nosinks_Nocache_Notemplates(t *testing.T) {
+	_, err := LoadConfig("./test-fixtures/bad-config-auto_auth-nosinks-nocache-notemplates.hcl")
+	if err == nil {
+		t.Fatal("LoadConfig should return an error when auto_auth configured and there are no sinks, caches or templates")
+	}
+}
+
 func TestLoadConfigFile_Bad_AutoAuth_Both_Wrapping_Types(t *testing.T) {
 	_, err := LoadConfig("./test-fixtures/bad-config-method-wrapping-and-sink-wrapping.hcl")
 	if err == nil {
@@ -539,3 +546,98 @@ func TestLoadConfigFile_Template(t *testing.T) {
 		})
 	}
 }
+
+// TestLoadConfigFile_Template_NoSinks tests template definitions without sinks in Vault Agent
+func TestLoadConfigFile_Template_NoSinks(t *testing.T) {
+	testCases := map[string]struct {
+		fixturePath       string
+		expectedTemplates []*ctconfig.TemplateConfig
+	}{
+		"min": {
+			fixturePath: "./test-fixtures/config-template-min-nosink.hcl",
+			expectedTemplates: []*ctconfig.TemplateConfig{
+				&ctconfig.TemplateConfig{
+					Source:      pointerutil.StringPtr("/path/on/disk/to/template.ctmpl"),
+					Destination: pointerutil.StringPtr("/path/on/disk/where/template/will/render.txt"),
+				},
+			},
+		},
+		"full": {
+			fixturePath: "./test-fixtures/config-template-full-nosink.hcl",
+			expectedTemplates: []*ctconfig.TemplateConfig{
+				&ctconfig.TemplateConfig{
+					Backup:         pointerutil.BoolPtr(true),
+					Command:        pointerutil.StringPtr("restart service foo"),
+					CommandTimeout: pointerutil.TimeDurationPtr("60s"),
+					Contents:       pointerutil.StringPtr("{{ keyOrDefault \"service/redis/maxconns@east-aws\" \"5\" }}"),
+					CreateDestDirs: pointerutil.BoolPtr(true),
+					Destination:    pointerutil.StringPtr("/path/on/disk/where/template/will/render.txt"),
+					ErrMissingKey:  pointerutil.BoolPtr(true),
+					LeftDelim:      pointerutil.StringPtr("<<"),
+					Perms:          pointerutil.FileModePtr(0655),
+					RightDelim:     pointerutil.StringPtr(">>"),
+					SandboxPath:    pointerutil.StringPtr("/path/on/disk/where"),
+
+					Wait: &ctconfig.WaitConfig{
+						Min: pointerutil.TimeDurationPtr("10s"),
+						Max: pointerutil.TimeDurationPtr("40s"),
+					},
+				},
+			},
+		},
+		"many": {
+			fixturePath: "./test-fixtures/config-template-many-nosink.hcl",
+			expectedTemplates: []*ctconfig.TemplateConfig{
+				&ctconfig.TemplateConfig{
+					Source:         pointerutil.StringPtr("/path/on/disk/to/template.ctmpl"),
+					Destination:    pointerutil.StringPtr("/path/on/disk/where/template/will/render.txt"),
+					ErrMissingKey:  pointerutil.BoolPtr(false),
+					CreateDestDirs: pointerutil.BoolPtr(true),
+					Command:        pointerutil.StringPtr("restart service foo"),
+					Perms:          pointerutil.FileModePtr(0600),
+				},
+				&ctconfig.TemplateConfig{
+					Source:      pointerutil.StringPtr("/path/on/disk/to/template2.ctmpl"),
+					Destination: pointerutil.StringPtr("/path/on/disk/where/template/will/render2.txt"),
+					Backup:      pointerutil.BoolPtr(true),
+					Perms:       pointerutil.FileModePtr(0755),
+					Wait: &ctconfig.WaitConfig{
+						Min: pointerutil.TimeDurationPtr("2s"),
+						Max: pointerutil.TimeDurationPtr("10s"),
+					},
+				},
+			},
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			config, err := LoadConfig(tc.fixturePath)
+			if err != nil {
+				t.Fatalf("err: %s", err)
+			}
+
+			expected := &Config{
+				SharedConfig: &configutil.SharedConfig{
+					PidFile: "./pidfile",
+				},
+				AutoAuth: &AutoAuth{
+					Method: &Method{
+						Type:      "aws",
+						MountPath: "auth/aws",
+						Namespace: "my-namespace/",
+						Config: map[string]interface{}{
+							"role": "foobar",
+						},
+					},
+					Sinks: nil,
+				},
+				Templates: tc.expectedTemplates,
+			}
+
+			if diff := deep.Equal(config, expected); diff != nil {
+				t.Fatal(diff)
+			}
+		})
+	}
+}