Merge branch 'nritholtz-issue-1445-vaultdefaultlease'

Fixes #1445
hashicorp · May 26, 2021 · dc2df7f · dc2df7f
2 parents b19f433 + 6199f17
commit dc2df7f
Show file tree

Hide file tree

Showing 8 changed files with 129 additions and 1 deletion.
diff --git a/cli.go b/cli.go
@@ -543,6 +543,12 @@ func (cli *CLI) ParseFlags(args []string) (
 		return nil
 	}), "vault-unwrap-token", "")
 
+	flags.Var((funcDurationVar)(func(d time.Duration) error {
+		c.Vault.DefaultLeaseDuration = config.TimeDuration(d)
+		return nil
+	}), "vault-default-lease-duration", "")
+
+
 	flags.Var((funcVar)(func(s string) error {
 		w, err := config.ParseWaitConfig(s)
 		if err != nil {
@@ -820,6 +826,10 @@ Options:
       Unwrap the provided Vault API token (see Vault documentation for more
       information on this feature)
 
+  -vault-default-lease-duration=<duration>
+	  configures the default lease duration when not explicitly
+	  set by vault
+
   -wait=<duration>
       Sets the 'min(:max)' amount of time to wait before writing a template (and
       triggering a command)

diff --git a/cli_test.go b/cli_test.go
@@ -666,6 +666,16 @@ func TestCLI_ParseFlags(t *testing.T) {
 			},
 			false,
 		},
+		{
+			"vault-default-lease-duration",
+			[]string{"-vault-default-lease-duration", "60s"},
+			&config.Config{
+				Vault: &config.VaultConfig{
+					DefaultLeaseDuration: config.TimeDuration(60 * time.Second),
+				},
+			},
+			false,
+		},
 		{
 			"wait_min",
 			[]string{"-wait", "10s"},

diff --git a/config/config_test.go b/config/config_test.go
@@ -1453,6 +1453,18 @@ func TestParse(t *testing.T) {
 			},
 			false,
 		},
+		{
+			"vault_default_lease_duration",
+			`vault {
+				default_lease_duration = "60s"
+			}`,
+			&Config{
+				Vault: &VaultConfig{
+					DefaultLeaseDuration: TimeDuration(60 * time.Second),
+				},
+			},
+			false,
+		},
 		{
 			"wait",
 			`wait {

diff --git a/config/vault.go b/config/vault.go
@@ -27,6 +27,9 @@ const (
 	// DefaultVaultRetryMaxAttempts is the default maximum number of attempts to
 	// retry before quitting.
 	DefaultVaultRetryMaxAttempts = 5
+
+	// DefaultVaultLeaseDuration is the default lease duration in seconds.
+	DefaultVaultLeaseDuration = 5 * time.Minute
 )
 
 // VaultConfig is the configuration for connecting to a vault server.
@@ -67,6 +70,10 @@ type VaultConfig struct {
 
 	// UnwrapToken unwraps the provided Vault token as a wrapped token.
 	UnwrapToken *bool `mapstructure:"unwrap_token"`
+
+	// DefaultLeaseDuration configures the default lease duration when not explicitly
+	// set by vault
+	DefaultLeaseDuration *time.Duration `mapstructure:"default_lease_duration"`
 }
 
 // DefaultVaultConfig returns a configuration that is populated with the
@@ -117,6 +124,8 @@ func (c *VaultConfig) Copy() *VaultConfig {
 
 	o.UnwrapToken = c.UnwrapToken
 
+	o.DefaultLeaseDuration = c.DefaultLeaseDuration
+
 	return &o
 }
 
@@ -178,6 +187,10 @@ func (c *VaultConfig) Merge(o *VaultConfig) *VaultConfig {
 		r.UnwrapToken = o.UnwrapToken
 	}
 
+	if o.DefaultLeaseDuration != nil {
+		r.DefaultLeaseDuration = o.DefaultLeaseDuration
+	}
+
 	return r
 }
 
@@ -275,6 +288,10 @@ func (c *VaultConfig) Finalize() {
 	if c.Enabled == nil {
 		c.Enabled = Bool(StringPresent(c.Address))
 	}
+
+	if c.DefaultLeaseDuration == nil {
+		c.DefaultLeaseDuration = TimeDuration(DefaultVaultLeaseDuration)
+	}
 }
 
 // GoString defines the printable version of this struct.
@@ -294,6 +311,7 @@ func (c *VaultConfig) GoString() string {
 		"VaultAgentTokenFile:%t, "+
 		"Transport:%#v, "+
 		"UnwrapToken:%s"+
+		"DefaultLeaseDuration:%s, "+
 		"}",
 		StringGoString(c.Address),
 		BoolGoString(c.Enabled),
@@ -305,5 +323,6 @@ func (c *VaultConfig) GoString() string {
 		StringPresent(c.VaultAgentTokenFile),
 		c.Transport,
 		BoolGoString(c.UnwrapToken),
+		TimeDurationGoString(c.DefaultLeaseDuration),
 	)
 }
diff --git a/config/vault_test.go b/config/vault_test.go
@@ -37,6 +37,7 @@ func TestVaultConfig_Copy(t *testing.T) {
 				},
 				UnwrapToken:         Bool(true),
 				VaultAgentTokenFile: String("/tmp/vault/agent/token"),
+				DefaultLeaseDuration: TimeDuration(5 * time.Minute),
 			},
 		},
 	}
@@ -300,6 +301,30 @@ func TestVaultConfig_Merge(t *testing.T) {
 			&VaultConfig{Transport: &TransportConfig{DialKeepAlive: TimeDuration(10 * time.Second)}},
 			&VaultConfig{Transport: &TransportConfig{DialKeepAlive: TimeDuration(10 * time.Second)}},
 		},
+		{
+			"default_lease_duration_overrides",
+			&VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)},
+			&VaultConfig{DefaultLeaseDuration: TimeDuration(2 * time.Minute)},
+			&VaultConfig{DefaultLeaseDuration: TimeDuration(2 * time.Minute)},
+		},
+		{
+			"default_lease_duration_empty_one",
+			&VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)},
+			&VaultConfig{},
+			&VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)},
+		},
+		{
+			"default_lease_duration_empty_two",
+			&VaultConfig{},
+			&VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)},
+			&VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)},
+		},
+		{
+			"default_lease_duration_same",
+			&VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)},
+			&VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)},
+			&VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)},
+		},
 	}
 
 	for i, tc := range cases {
@@ -354,6 +379,7 @@ func TestVaultConfig_Finalize(t *testing.T) {
 					TLSHandshakeTimeout: TimeDuration(DefaultTLSHandshakeTimeout),
 				},
 				UnwrapToken: Bool(DefaultVaultUnwrapToken),
+				DefaultLeaseDuration: TimeDuration(DefaultVaultLeaseDuration),
 			},
 		},
 		{
@@ -392,6 +418,7 @@ func TestVaultConfig_Finalize(t *testing.T) {
 					TLSHandshakeTimeout: TimeDuration(DefaultTLSHandshakeTimeout),
 				},
 				UnwrapToken: Bool(DefaultVaultUnwrapToken),
+				DefaultLeaseDuration: TimeDuration(DefaultVaultLeaseDuration),
 			},
 		},
 		{
@@ -430,6 +457,47 @@ func TestVaultConfig_Finalize(t *testing.T) {
 					TLSHandshakeTimeout: TimeDuration(DefaultTLSHandshakeTimeout),
 				},
 				UnwrapToken: Bool(DefaultVaultUnwrapToken),
+				DefaultLeaseDuration: TimeDuration(DefaultVaultLeaseDuration),
+			},
+		},
+		{
+			"with_default_lease_duration",
+			&VaultConfig{
+				Address: String("address"),
+				DefaultLeaseDuration: TimeDuration(1 * time.Minute),
+			},
+			&VaultConfig{
+				Address:    String("address"),
+				Enabled:    Bool(true),
+				Namespace:  String(""),
+				RenewToken: Bool(false),
+				Retry: &RetryConfig{
+					Backoff:    TimeDuration(DefaultRetryBackoff),
+					MaxBackoff: TimeDuration(DefaultRetryMaxBackoff),
+					Enabled:    Bool(true),
+					Attempts:   Int(DefaultRetryAttempts),
+				},
+				SSL: &SSLConfig{
+					CaCert:     String(""),
+					CaPath:     String(""),
+					Cert:       String(""),
+					Enabled:    Bool(true),
+					Key:        String(""),
+					ServerName: String(""),
+					Verify:     Bool(true),
+				},
+				Token: String(""),
+				Transport: &TransportConfig{
+					DialKeepAlive:       TimeDuration(DefaultDialKeepAlive),
+					DialTimeout:         TimeDuration(DefaultDialTimeout),
+					DisableKeepAlives:   Bool(false),
+					IdleConnTimeout:     TimeDuration(DefaultIdleConnTimeout),
+					MaxIdleConns:        Int(DefaultMaxIdleConns),
+					MaxIdleConnsPerHost: Int(DefaultMaxIdleConnsPerHost),
+					TLSHandshakeTimeout: TimeDuration(DefaultTLSHandshakeTimeout),
+				},
+				UnwrapToken: Bool(DefaultVaultUnwrapToken),
+				DefaultLeaseDuration: TimeDuration(1 * time.Minute),
 			},
 		},
 	}

diff --git a/dependency/vault_common.go b/dependency/vault_common.go
@@ -12,7 +12,7 @@ import (
 
 var (
 	// VaultDefaultLeaseDuration is the default lease duration in seconds.
-	VaultDefaultLeaseDuration = 5 * time.Minute
+	VaultDefaultLeaseDuration time.Duration
 )
 
 // Secret is the structure returned for every secret within Vault.

diff --git a/docs/configuration.md b/docs/configuration.md
@@ -347,6 +347,12 @@ vault {
   # documentation for more information.
   unwrap_token = true
 
+  # The default lease duration Consul Template will use on a Vault secret that 
+  # does not have a lease duration. This is used to calculate the sleep duration
+  # for rechecking a Vault secret value. This field is optional and will default to
+  # 5 minutes.
+  default_lease_duration = "60s"
+
   # This option tells Consul Template to automatically renew the Vault token
   # given. If you are unfamiliar with Vault's architecture, Vault requires
   # tokens be renewed at some regular interval or they will be revoked. Consul

diff --git a/manager/runner.go b/manager/runner.go
@@ -852,6 +852,9 @@ func (r *Runner) init() error {
 	}
 	log.Printf("[DEBUG] (runner) final config: %s", result)
 
+	//Set VaultDefaultLeaseDuration
+	dep.VaultDefaultLeaseDuration = config.TimeDurationVal(r.config.Vault.DefaultLeaseDuration)
+
 	// Create the clientset
 	clients, err := newClientSet(r.config)
 	if err != nil {