diff --git a/docs/docs/operation/creds/vault.md b/docs/docs/operation/creds/vault.md index efa2acc5..441e6690 100644 --- a/docs/docs/operation/creds/vault.md +++ b/docs/docs/operation/creds/vault.md @@ -143,6 +143,17 @@ vault policy write concourse ./concourse-policy.hcl This configuration will allow Concourse to read all credentials under `/concourse`. This should match your configured path prefix. +### Enabling KV mount caching + +When Concourse looks up secrets in Vault, it needs to determine which KV mount version (v1 or v2) contains the secret. +By default, this information is fetched from Vault for each lookup. Enabling KV mount caching allows this information to be fetched once and reused for subsequent lookups, significantly reducing the number of Vault API calls. + +To enable KV mount caching, set the following environment variable on the `web` node: + +```properties +CONCOURSE_VAULT_ENABLE_KV_MOUNT_CACHE=true +``` + ## Authenticating with Vault There are many ways to authenticate with a Vault server. The `web` node can be configured with either a token or an diff --git a/docs/docs/vars.md b/docs/docs/vars.md index e3120137..64b1a829 100644 --- a/docs/docs/vars.md +++ b/docs/docs/vars.md @@ -417,7 +417,13 @@ used just like resource types. When retrying during authentication, start with this retry interval. The interval will increase exponentially until `auth_retry_max` is reached. - + + ??? info "**`enable_kv_mount_cache`**: [`boolean`](config-basics.md#boolean-schema)" + + By default, this feature is disabled. When disabled, Concourse queries Vault on every secret lookup to determine whether the secret resides in a KV version 1 or version 2 mount, as this affects how the secret is retrieved. + + When enabled, KV mount metadata is cached. This allows Concourse to fetch mount information once and reuse it for subsequent lookups, reducing the number of Vault API calls and improving performance. + === "Dummy" ??? warning "**`type`**: `dummy`"