Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove default Vault address (http://127.0.0.1:8200) for the url option and make it required #83

Closed
briantist opened this issue May 22, 2021 · 4 comments · Fixed by #176
Closed

Remove default Vault address (http://127.0.0.1:8200) for the url option and make it required #83

briantist opened this issue May 22, 2021 · 4 comments · Fixed by #176
Assignees
@briantist
Labels
enhancement New feature or request
Milestone
v2.0.0

Comments

@briantist
Copy link
Collaborator

The default value for the url option is http://127.0.0.1:8200, which is meant to somewhat correspond to the "defaults" used by Vault CLI and the hvac library.

For several reasons, the default is unlikely to be correct for production uses (it doesn't use TLS, runs on localhost, etc.).

Instead, my observation in real world use cases is that people tend to forget to set a Vault address and then are confused about why it isn't working because they see the access denied, timed out, etc. error message but don't really notice that they aren't connecting to the correct Vault server.

As a result, I think the default does more harm than good.

I've also received feedback along the same lines (here's one example), and I'm tending to agree with the critics.

We also provide many ways of specifying the address:

So anyone who is using the default for its intended value, has several other ways of not specifying it, including several that don't require modification of playbooks/tasks/templates.

Nonetheless it would be a breaking change and would happen in the next major version

Request for Feedback

If you have any opinion on this change either way, I invite you to provide it here!

SUMMARY
ISSUE TYPE
  • Feature Idea
COMPONENT NAME

hashi_vault.py

ADDITIONAL INFORMATION
@briantist briantist added the enhancement New feature or request label May 22, 2021
@briantist briantist added this to the v2.0.0 milestone May 22, 2021
@briantist briantist self-assigned this May 22, 2021
@briantist briantist pinned this issue May 22, 2021
@briantist
Copy link
Collaborator Author

cc @Akasurde @elcomtik @pilou-

@pilou-
Copy link

pilou- commented May 22, 2021

Remove default Vault address (http://127.0.0.1:8200) for the url option and make it required

👍
Would the option considered as set when VAULT_ADDR environment variable is set?

@briantist
Copy link
Collaborator Author

Remove default Vault address (http://127.0.0.1:8200) for the url option and make it required

👍
Would the option considered as set when VAULT_ADDR environment variable is set?

@pilou-

Just as now, VAULT_ADDR or the stronger precedence ANSIBLE_HASHI_VAULT_ADDR environment variables could still be used.

None of the proactive ways of setting the value would be different by way of this change; only if the value is not specified in any way, is the default used now; this change would cause that case to be an error instead.

@elcomtik
Copy link

@briantist I totally agree with proposal, it reflects all my needs.

@briantist briantist mentioned this issue May 30, 2021
Merged
@briantist briantist mentioned this issue Nov 4, 2021
Merged
@briantist briantist unpinned this issue Nov 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@briantist briantist

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.0.0
Development

Successfully merging a pull request may close this issue.

connection options - make url required and remove the default value briantist/community.hashi_vault
3 participants
@briantist @pilou- @elcomtik