Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue #274: Avoid premature vault token renewals #314

Merged
merged 6 commits into from
Jun 29, 2017
Merged

Issue #274: Avoid premature vault token renewals #314

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
fe14d22
Issue #274: Avoid premature vault token renewals
pschultz Jun 27, 2017
a468e0a
address review feedback
pschultz Jun 29, 2017
7fec346
use godoc standard, clarify flow
pschultz Jun 29, 2017
49767dd
leverage sync.Once
pschultz Jun 29, 2017
c151ca2
remove redundant constant factor
pschultz Jun 29, 2017
f6e2463
avoid use of sync.Once
pschultz Jun 29, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 26 additions & 15 deletions cert/vault_source.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,12 @@ type VaultSource struct {
mu sync.Mutex
vaultToken string // VAULT_TOKEN env var. Might be wrapped.
auth struct {
token string // actual token
expireTime time.Time // zero value if the token isn't renewable
renewIncrement int
token string // actual token
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pls use the Go doc standard here:

// token is the actual token
token string

// expireTime is ...
expireTime time.Time
...

expireTime time.Time // zero value if the token isn't renewable

// The desired token lifetime after renewal, in seconds. This value is
// advisory and the Vault server may ignore or silently change it.
renewTTL int
}
}

Expand All @@ -59,8 +62,10 @@ func (s *VaultSource) client() (*api.Client, error) {
}

func (s *VaultSource) setAuth(c *api.Client) error {
firstCall := true
s.mu.Lock()

firstCall := true

defer func() {
c.SetToken(s.auth.token)
if firstCall {
Expand Down Expand Up @@ -102,13 +107,13 @@ var dropNotRenewableWarning bool
// checkRenewal checks if the Vault token can be renewed, and if so when it
// expires and how big the renewal increment should be.
func (s *VaultSource) checkRenewal(c *api.Client) {
response, err := c.Auth().Token().LookupSelf()
resp, err := c.Auth().Token().LookupSelf()
if err != nil {
log.Printf("[WARN] vault: lookup-self failed, token renewal is disabled: %s", err)
return
}

b, _ := json.Marshal(response.Data)
b, _ := json.Marshal(resp.Data)
var data struct {
CreationTTL int `json:"creation_ttl"`
ExpireTime time.Time `json:"expire_time"`
Expand All @@ -119,15 +124,21 @@ func (s *VaultSource) checkRenewal(c *api.Client) {
return
}

if data.Renewable {
s.auth.renewIncrement = data.CreationTTL
switch {
case data.Renewable:
s.auth.renewTTL = data.CreationTTL
s.auth.expireTime = data.ExpireTime
} else if !data.ExpireTime.IsZero() && !dropNotRenewableWarning {
ttl := time.Until(data.ExpireTime)
ttl = ttl / time.Second * time.Second // truncate to seconds
log.Printf("[WARN] vault: Token is not renewable and will expire %s from now (at %s)",
ttl, data.ExpireTime.Format(time.RFC3339))
case data.ExpireTime.IsZero():
// token doesn't expire
return
case dropNotRenewableWarning:
return
}

ttl := time.Until(data.ExpireTime)
ttl = ttl / time.Second * time.Second // truncate to seconds
log.Printf("[WARN] vault: Token is not renewable and will expire %s from now (at %s)",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logging is the default case, right?

pls change the log msg to Token is not renewable and expires in %s from now at %s

ttl, data.ExpireTime.Format(time.RFC3339))
}

func (s *VaultSource) LoadClientCAs() (*x509.CertPool, error) {
Expand Down Expand Up @@ -225,12 +236,12 @@ func (s *VaultSource) renewToken(c *api.Client) error {
return nil
}

response, err := c.Auth().Token().RenewSelf(s.auth.renewIncrement)
resp, err := c.Auth().Token().RenewSelf(s.auth.renewTTL)
if err != nil {
return err
}

leaseDuration := time.Duration(response.Auth.LeaseDuration) * time.Second
leaseDuration := time.Duration(resp.Auth.LeaseDuration) * time.Second
s.auth.expireTime = time.Now().Add(leaseDuration)

return nil
Expand Down