You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The default value for the url option is http://127.0.0.1:8200, which is meant to somewhat correspond to the "defaults" used by Vault CLI and the hvac library.
For several reasons, the default is unlikely to be correct for production uses (it doesn't use TLS, runs on localhost, etc.).
Instead, my observation in real world use cases is that people tend to forget to set a Vault address and then are confused about why it isn't working because they see the access denied, timed out, etc. error message but don't really notice that they aren't connecting to the correct Vault server.
As a result, I think the default does more harm than good.
I've also received feedback along the same lines (here's one example), and I'm tending to agree with the critics.
We also provide many ways of specifying the address:
So anyone who is using the default for its intended value, has several other ways of not specifying it, including several that don't require modification of playbooks/tasks/templates.
Nonetheless it would be a breaking change and would happen in the next major version
Request for Feedback
If you have any opinion on this change either way, I invite you to provide it here!
SUMMARY
ISSUE TYPE
Feature Idea
COMPONENT NAME
hashi_vault.py
ADDITIONAL INFORMATION
The text was updated successfully, but these errors were encountered:
Just as now, VAULT_ADDR or the stronger precedence ANSIBLE_HASHI_VAULT_ADDR environment variables could still be used.
None of the proactive ways of setting the value would be different by way of this change; only if the value is not specified in any way, is the default used now; this change would cause that case to be an error instead.
The default value for the
url
option ishttp://127.0.0.1:8200
, which is meant to somewhat correspond to the "defaults" used by Vault CLI and thehvac
library.For several reasons, the default is unlikely to be correct for production uses (it doesn't use TLS, runs on localhost, etc.).
Instead, my observation in real world use cases is that people tend to forget to set a Vault address and then are confused about why it isn't working because they see the access denied, timed out, etc. error message but don't really notice that they aren't connecting to the correct Vault server.
As a result, I think the default does more harm than good.
I've also received feedback along the same lines (here's one example), and I'm tending to agree with the critics.
We also provide many ways of specifying the address:
So anyone who is using the default for its intended value, has several other ways of not specifying it, including several that don't require modification of playbooks/tasks/templates.
Nonetheless it would be a breaking change and would happen in the next major version
Request for Feedback
If you have any opinion on this change either way, I invite you to provide it here!
SUMMARY
ISSUE TYPE
COMPONENT NAME
hashi_vault.py
ADDITIONAL INFORMATION
The text was updated successfully, but these errors were encountered: