Sanity check with Consul Watch

Hi all,

Could someone take a look on my issue please? I am fairly sure that I miss something obvious here.

I have an EC2 box with two containers. A vault and a consul client container that are communicating in host network mode.
I am trying to use consul watch to set up a notification, if a key (or a keyprefix) has changes, in order kick off an ansible pipeline to update passwords on some backends.

I am trying to make the basic example work with a KV version 2 store. I have created a kv/mystuff/foo key to use for the first eyeballing as a basic manual example.
My consul config looks like this:

{
“server”: false,
“leave_on_terminate”: true,
“retry_join”: [“provider=aws tag_key=aws:cloudformation:stack-name tag_value=my-consul”],
“bind_addr”: “{{ GetInterfaceIP “eth0” }}”,
“enable_local_script_checks”: true,
“telemetry”: {
“dogstatsd_addr”: “localhost:8125”,
“disable_hostname”: true
},
“watches”: [{
“type”: “key”,
“key”: “kv/mystuff/foo”,
“handler”: “/tmp/command.sh”
}]
}

The command.sh is a simple echo:

#!/usr/bin/env sh
echo “it was called”

The client itself is happy and working, unlike the watch.
It seems that, if I log in to Vault and change the kv/mystuff/foo, the consul watch does not detect any changes. Could someone do a sanity check please, if this should work?

Thanks,
Peter

Hi @Peter,

Consul Watches detect changes in Consul’s KV store, not Vault’s. You should see a change notification if you create and then modify the key path directly in Consul.

There are a number of GitHub issues requesting Vault add support for change notifications, for example https://github.com/hashicorp/vault/issues/3687. I’m not certain whether this functionality was ever added. You may want to ask this question over in the Vault category/forum where you may receive a better response.

Hope this helps.

Hi @blake,

Thanks for taking a look. I was hoping that through the Consul client, the Watch can eyeball the Consul backend. I have tried on the backend/consul-server directly, but no joy there either.
Thanks for linking the issue, by the look, I might be indeed trying to get something work that is not complete yet.

Thanks,
Peter