Ardiea
commented
5 months ago As part of better undstanding this issue, the following:
TL;DR: Right now a vault agent acts as a proxy when started with vault agent but "some day soon" the proxy functionality will be removed from the agent and our two usages for vault at the moment (templating and proxying) will become divided. We will need to run vault twice on servers that need both sets of functionality 👎
I think the go-forward would be:
- Stop using vault-template and switch entirely to consul-template for our template needs.
- Convert all our current vault-agent installations into vault-proxy installations.
- Consul-template points to
vault-proxyexactly the same way it currently points tovault-agent, should be a transparent change from that perspective.
Evaluate what code changes are needed to adjust for the newly decouple vault agent and proxy changes introduced in 1.14 and the legacy agent utilization that will be deprecated by 1.17.
The Vault Agent supports two primary use cases: template and proxy. Templating involves using Vault Agent to abstract the Vault API calls from an application requiring secrets so the application can read the secrets from a file generated by Vault Agent. The Vault Agent also supports another use case, called [API proxying] (https://developer.hashicorp.com/vault/docs/agent/apiproxy). This use case supports requests that will ultimately be forwarded to Vault itself. Unlike the templating use case, there is no API abstraction, and clients must know how to use Vault’s APIs. We do, however, offer caching capabilities (currently limited to a small subset of requests) to reduce the load on Vault when requests are sent through the proxy this way. Vault 1.14 decouples these two modes so customers can run Vault Agent for templating or Vault Proxy. We plan to deprecate support for running in both modes by Vault 1.17. New features, such as static secret caching, are scheduled to be added to Vault Proxy in future releases.