From c6f5f1645f2794d4b088980da1031b53d97d3df6 Mon Sep 17 00:00:00 2001 From: nritholtz Date: Tue, 19 Jan 2021 13:36:57 -0500 Subject: [PATCH 1/2] Issue 1445 vaultdefaultlease --- cli.go | 10 ++++++ cli_test.go | 10 ++++++ config/config_test.go | 12 +++++++ config/vault.go | 19 +++++++++++ config/vault_test.go | 68 ++++++++++++++++++++++++++++++++++++++ dependency/vault_common.go | 2 +- manager/runner.go | 3 ++ 7 files changed, 123 insertions(+), 1 deletion(-) diff --git a/cli.go b/cli.go index 5bf00e6b0..7d634c613 100644 --- a/cli.go +++ b/cli.go @@ -543,6 +543,12 @@ func (cli *CLI) ParseFlags(args []string) ( return nil }), "vault-unwrap-token", "") + flags.Var((funcDurationVar)(func(d time.Duration) error { + c.Vault.DefaultLeaseDuration = config.TimeDuration(d) + return nil + }), "vault-default-lease-duration", "") + + flags.Var((funcVar)(func(s string) error { w, err := config.ParseWaitConfig(s) if err != nil { @@ -820,6 +826,10 @@ Options: Unwrap the provided Vault API token (see Vault documentation for more information on this feature) + -vault-default-lease-duration= + configures the default lease duration when not explicitly + set by vault + -wait= Sets the 'min(:max)' amount of time to wait before writing a template (and triggering a command) diff --git a/cli_test.go b/cli_test.go index 3e365accb..a9102630e 100644 --- a/cli_test.go +++ b/cli_test.go @@ -666,6 +666,16 @@ func TestCLI_ParseFlags(t *testing.T) { }, false, }, + { + "vault-default-lease-duration", + []string{"-vault-default-lease-duration", "60s"}, + &config.Config{ + Vault: &config.VaultConfig{ + DefaultLeaseDuration: config.TimeDuration(60 * time.Second), + }, + }, + false, + }, { "wait_min", []string{"-wait", "10s"}, diff --git a/config/config_test.go b/config/config_test.go index 70ea9f44d..ef8fd877f 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -1453,6 +1453,18 @@ func TestParse(t *testing.T) { }, false, }, + { + "vault_default_lease_duration", + `vault { + default_lease_duration = "60s" + }`, + &Config{ + Vault: &VaultConfig{ + DefaultLeaseDuration: TimeDuration(60 * time.Second), + }, + }, + false, + }, { "wait", `wait { diff --git a/config/vault.go b/config/vault.go index 5eb727c3a..7c590d679 100644 --- a/config/vault.go +++ b/config/vault.go @@ -27,6 +27,9 @@ const ( // DefaultVaultRetryMaxAttempts is the default maximum number of attempts to // retry before quitting. DefaultVaultRetryMaxAttempts = 5 + + // DefaultVaultLeaseDuration is the default lease duration in seconds. + DefaultVaultLeaseDuration = 5 * time.Minute ) // VaultConfig is the configuration for connecting to a vault server. @@ -67,6 +70,10 @@ type VaultConfig struct { // UnwrapToken unwraps the provided Vault token as a wrapped token. UnwrapToken *bool `mapstructure:"unwrap_token"` + + // DefaultLeaseDuration configures the default lease duration when not explicitly + // set by vault + DefaultLeaseDuration *time.Duration `mapstructure:"default_lease_duration"` } // DefaultVaultConfig returns a configuration that is populated with the @@ -117,6 +124,8 @@ func (c *VaultConfig) Copy() *VaultConfig { o.UnwrapToken = c.UnwrapToken + o.DefaultLeaseDuration = c.DefaultLeaseDuration + return &o } @@ -178,6 +187,10 @@ func (c *VaultConfig) Merge(o *VaultConfig) *VaultConfig { r.UnwrapToken = o.UnwrapToken } + if o.DefaultLeaseDuration != nil { + r.DefaultLeaseDuration = o.DefaultLeaseDuration + } + return r } @@ -275,6 +288,10 @@ func (c *VaultConfig) Finalize() { if c.Enabled == nil { c.Enabled = Bool(StringPresent(c.Address)) } + + if c.DefaultLeaseDuration == nil { + c.DefaultLeaseDuration = TimeDuration(DefaultVaultLeaseDuration) + } } // GoString defines the printable version of this struct. @@ -294,6 +311,7 @@ func (c *VaultConfig) GoString() string { "VaultAgentTokenFile:%t, "+ "Transport:%#v, "+ "UnwrapToken:%s"+ + "DefaultLeaseDuration:%s, "+ "}", StringGoString(c.Address), BoolGoString(c.Enabled), @@ -305,5 +323,6 @@ func (c *VaultConfig) GoString() string { StringPresent(c.VaultAgentTokenFile), c.Transport, BoolGoString(c.UnwrapToken), + TimeDurationGoString(c.DefaultLeaseDuration), ) } diff --git a/config/vault_test.go b/config/vault_test.go index 575f923d2..80358fde3 100644 --- a/config/vault_test.go +++ b/config/vault_test.go @@ -37,6 +37,7 @@ func TestVaultConfig_Copy(t *testing.T) { }, UnwrapToken: Bool(true), VaultAgentTokenFile: String("/tmp/vault/agent/token"), + DefaultLeaseDuration: TimeDuration(5 * time.Minute), }, }, } @@ -300,6 +301,30 @@ func TestVaultConfig_Merge(t *testing.T) { &VaultConfig{Transport: &TransportConfig{DialKeepAlive: TimeDuration(10 * time.Second)}}, &VaultConfig{Transport: &TransportConfig{DialKeepAlive: TimeDuration(10 * time.Second)}}, }, + { + "default_lease_duration_overrides", + &VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)}, + &VaultConfig{DefaultLeaseDuration: TimeDuration(2 * time.Minute)}, + &VaultConfig{DefaultLeaseDuration: TimeDuration(2 * time.Minute)}, + }, + { + "default_lease_duration_empty_one", + &VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)}, + &VaultConfig{}, + &VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)}, + }, + { + "default_lease_duration_empty_two", + &VaultConfig{}, + &VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)}, + &VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)}, + }, + { + "default_lease_duration_same", + &VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)}, + &VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)}, + &VaultConfig{DefaultLeaseDuration: TimeDuration(5 * time.Minute)}, + }, } for i, tc := range cases { @@ -354,6 +379,7 @@ func TestVaultConfig_Finalize(t *testing.T) { TLSHandshakeTimeout: TimeDuration(DefaultTLSHandshakeTimeout), }, UnwrapToken: Bool(DefaultVaultUnwrapToken), + DefaultLeaseDuration: TimeDuration(DefaultVaultLeaseDuration), }, }, { @@ -392,6 +418,7 @@ func TestVaultConfig_Finalize(t *testing.T) { TLSHandshakeTimeout: TimeDuration(DefaultTLSHandshakeTimeout), }, UnwrapToken: Bool(DefaultVaultUnwrapToken), + DefaultLeaseDuration: TimeDuration(DefaultVaultLeaseDuration), }, }, { @@ -430,6 +457,47 @@ func TestVaultConfig_Finalize(t *testing.T) { TLSHandshakeTimeout: TimeDuration(DefaultTLSHandshakeTimeout), }, UnwrapToken: Bool(DefaultVaultUnwrapToken), + DefaultLeaseDuration: TimeDuration(DefaultVaultLeaseDuration), + }, + }, + { + "with_default_lease_duration", + &VaultConfig{ + Address: String("address"), + DefaultLeaseDuration: TimeDuration(1 * time.Minute), + }, + &VaultConfig{ + Address: String("address"), + Enabled: Bool(true), + Namespace: String(""), + RenewToken: Bool(false), + Retry: &RetryConfig{ + Backoff: TimeDuration(DefaultRetryBackoff), + MaxBackoff: TimeDuration(DefaultRetryMaxBackoff), + Enabled: Bool(true), + Attempts: Int(DefaultRetryAttempts), + }, + SSL: &SSLConfig{ + CaCert: String(""), + CaPath: String(""), + Cert: String(""), + Enabled: Bool(true), + Key: String(""), + ServerName: String(""), + Verify: Bool(true), + }, + Token: String(""), + Transport: &TransportConfig{ + DialKeepAlive: TimeDuration(DefaultDialKeepAlive), + DialTimeout: TimeDuration(DefaultDialTimeout), + DisableKeepAlives: Bool(false), + IdleConnTimeout: TimeDuration(DefaultIdleConnTimeout), + MaxIdleConns: Int(DefaultMaxIdleConns), + MaxIdleConnsPerHost: Int(DefaultMaxIdleConnsPerHost), + TLSHandshakeTimeout: TimeDuration(DefaultTLSHandshakeTimeout), + }, + UnwrapToken: Bool(DefaultVaultUnwrapToken), + DefaultLeaseDuration: TimeDuration(1 * time.Minute), }, }, } diff --git a/dependency/vault_common.go b/dependency/vault_common.go index 2ef59a4a5..0b839315e 100644 --- a/dependency/vault_common.go +++ b/dependency/vault_common.go @@ -12,7 +12,7 @@ import ( var ( // VaultDefaultLeaseDuration is the default lease duration in seconds. - VaultDefaultLeaseDuration = 5 * time.Minute + VaultDefaultLeaseDuration time.Duration ) // Secret is the structure returned for every secret within Vault. diff --git a/manager/runner.go b/manager/runner.go index 7b0d6dbcd..fdc3d71b4 100644 --- a/manager/runner.go +++ b/manager/runner.go @@ -852,6 +852,9 @@ func (r *Runner) init() error { } log.Printf("[DEBUG] (runner) final config: %s", result) + //Set VaultDefaultLeaseDuration + dep.VaultDefaultLeaseDuration = config.TimeDurationVal(r.config.Vault.DefaultLeaseDuration) + // Create the clientset clients, err := newClientSet(r.config) if err != nil { From 6199f17fa19a5f46a593f9fd5b9f9589225c39c0 Mon Sep 17 00:00:00 2001 From: nritholtz Date: Tue, 25 May 2021 17:05:11 -0700 Subject: [PATCH 2/2] update docs in new location --- docs/configuration.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/configuration.md b/docs/configuration.md index b5de22b9f..a5ea56892 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -347,6 +347,12 @@ vault { # documentation for more information. unwrap_token = true + # The default lease duration Consul Template will use on a Vault secret that + # does not have a lease duration. This is used to calculate the sleep duration + # for rechecking a Vault secret value. This field is optional and will default to + # 5 minutes. + default_lease_duration = "60s" + # This option tells Consul Template to automatically renew the Vault token # given. If you are unfamiliar with Vault's architecture, Vault requires # tokens be renewed at some regular interval or they will be revoked. Consul