Configurable Vault default lease duration

[msessa]

We use vault-template to decrypt data using the transit backend which returns a non-renewable secret with lease_duration=0.

consul-template already detects changes in the source file (the encrypted data) and triggers decryption when needed, however it also performs a lot of unnecessary decryption operations because of the short default lease duration.

I believe this is the line where it's hardcoded:

consul-template/dependency/vault_common.go

Line 13 in 26d029a

VaultDefaultLeaseDuration = 5 * time.Minute

Would it be possible to parametrize VaultDefaultLeaseDuration at CLI or config level?

Thanks in advance.

[sethvargo]

Hi @msessa

Thank you for opening an issue. Could you please share your Consul Template configuration file and Vault setup?

[msessa]

Hi @sethvargo

Sure. here's the full list of steps to reproduce:

➜  docker run -d --name vaultdev -p 8200:8200 vault:0.8.3
2f8e5b61037149c8f13351d5a4cc315b92fdf4c9947dc5c61c505718403678ce
➜  docker logs vaultdev 2>&1 | grep Root
Root Token: 0c8360d5-813e-feee-c9f0-5d1230444c71
➜  export VAULT_TOKEN=0c8360d5-813e-feee-c9f0-5d1230444c71
➜  export VAULT_ADDR=http://127.0.0.1:8200
➜  vault mount transit
Successfully mounted 'transit' at 'transit'!
➜  vault write -f transit/keys/test
Success! Data written to: transit/keys/test
➜  vault write -f transit/encrypt/test plaintext="$(echo test data goes here | base64)"
Key       	Value
---       	-----
ciphertext	vault:v1:sdXnJN2VVBCBH+FAEoVVGp5tlan3NzP/KAcU43Hx2tedvHOHUO1TFiunXXBDi+JZ

➜  echo 'vault:v1:sdXnJN2VVBCBH+FAEoVVGp5tlan3NzP/KAcU43Hx2tedvHOHUO1TFiunXXBDi+JZ' > encrypted_file
➜  cat template.ctmpl
{{ $content := file "./encrypted_file" }}
{{ $data := printf "ciphertext=%s" $content }}
{{ with secret "transit/decrypt/test" $data }}
{{ .Data.plaintext | base64Decode }}
{{ end }}
➜  consul-template -vault-renew-token=false -log-level=trace -dry -template template.ctmpl:decrypted_file

Following is an extract from the log from the above command.

As you can see the decryption operation is performed repeatedly even when the source (./encrypted_file) is unchanged, for example the line:
2017/11/03 05:53:36.745612 [TRACE] vault.write(transit/decrypt/test -> c222c0a7): secret is not renewable, sleeping for 1m27.759213325s

That can put a considerable load on vault when dealing with a large number of encrypted files.

2017/11/03 05:53:36.612672 [INFO] consul-template v0.19.4.dev (d5f84cb)
2017/11/03 05:53:36.613094 [INFO] (runner) creating new runner (dry: true, once: false)
2017/11/03 05:53:36.616732 [DEBUG] (runner) final config: {"Consul":{"Address":"","Auth":{"Enabled":false,"Username":"","Password":""},"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":false,"Key":"","ServerName":"","Verify":true},"Token":"","Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":9,"TLSHandshakeTimeout":10000000000}},"Dedup":{"Enabled":false,"MaxStale":2000000000,"Prefix":"consul-template/dedup/","TTL":15000000000},"Exec":{"Command":"","Enabled":false,"Env":{"Blacklist":[],"Custom":[],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":0,"Timeout":0},"KillSignal":2,"LogLevel":"trace","MaxStale":2000000000,"PidFile":"","ReloadSignal":1,"Syslog":{"Enabled":false,"Facility":"LOCAL0"},"Templates":[{"Backup":false,"Command":"","CommandTimeout":30000000000,"Env":[],"Contents":"","Destination":"decrypted_file","ErrMissingKey":false,"Exec":{"Command":"","Enabled":false,"Env":{"Blacklist":[],"Custom":[],"Pristine":false,"Whitelist":[]},"KillSignal":2,"KillTimeout":30000000000,"ReloadSignal":null,"Splay":0,"Timeout":30000000000},"Perms":420,"Source":"template.ctmpl","Wait":{"Enabled":false,"Min":0,"Max":0},"LeftDelim":"","RightDelim":""}],"Vault":{"Address":"http://127.0.0.1:8200","Enabled":true,"Grace":300000000000,"RenewToken":false,"Retry":{"Attempts":12,"Backoff":250000000,"MaxBackoff":60000000000,"Enabled":true},"SSL":{"CaCert":"","CaPath":"","Cert":"","Enabled":true,"Key":"","ServerName":"","Verify":true},"Transport":{"DialKeepAlive":30000000000,"DialTimeout":30000000000,"DisableKeepAlives":false,"IdleConnTimeout":90000000000,"MaxIdleConns":100,"MaxIdleConnsPerHost":9,"TLSHandshakeTimeout":10000000000},"UnwrapToken":false},"Wait":{"Enabled":false,"Min":0,"Max":0}}
2017/11/03 05:53:36.737125 [INFO] (runner) creating watcher
2017/11/03 05:53:36.737472 [INFO] (runner) starting
2017/11/03 05:53:36.737487 [DEBUG] (runner) running initial templates
2017/11/03 05:53:36.737491 [INFO] (runner) initiating run
2017/11/03 05:53:36.737520 [DEBUG] (runner) checking template d772b80722919b247fdb47c06fc58b37
2017/11/03 05:53:36.739745 [DEBUG] (runner) was not watching 2 dependencies
2017/11/03 05:53:36.739760 [DEBUG] (watcher) adding file(./encrypted_file)
2017/11/03 05:53:36.739763 [TRACE] (watcher) file(./encrypted_file) starting
2017/11/03 05:53:36.739771 [DEBUG] (watcher) adding vault.write(transit/decrypt/test -> 5dc441cc)
2017/11/03 05:53:36.739774 [TRACE] (watcher) vault.write(transit/decrypt/test -> 5dc441cc) starting
2017/11/03 05:53:36.739778 [DEBUG] (runner) diffing and updating dependencies
2017/11/03 05:53:36.739782 [DEBUG] (runner) watching 2 dependencies
2017/11/03 05:53:36.740291 [TRACE] (view) vault.write(transit/decrypt/test -> 5dc441cc) starting fetch
2017/11/03 05:53:36.740322 [TRACE] vault.write(transit/decrypt/test -> 5dc441cc): PUT /v1/transit/decrypt/test?stale=true&wait=1m0s
2017/11/03 05:53:36.740298 [TRACE] (view) file(./encrypted_file) starting fetch
2017/11/03 05:53:36.740337 [TRACE] file(./encrypted_file): READ ./encrypted_file
2017/11/03 05:53:36.740385 [TRACE] file(./encrypted_file): reported change
2017/11/03 05:53:36.740716 [TRACE] (view) file(./encrypted_file) marking successful data response
2017/11/03 05:53:36.740729 [TRACE] (view) file(./encrypted_file) successful contact, resetting retries
2017/11/03 05:53:36.740732 [TRACE] (view) file(./encrypted_file) received data
2017/11/03 05:53:36.740743 [TRACE] (view) file(./encrypted_file) starting fetch
2017/11/03 05:53:36.740746 [TRACE] file(./encrypted_file): READ ./encrypted_file
2017/11/03 05:53:36.740775 [DEBUG] (runner) receiving dependency file(./encrypted_file)
2017/11/03 05:53:36.740793 [INFO] (runner) initiating run
2017/11/03 05:53:36.740801 [DEBUG] (runner) checking template d772b80722919b247fdb47c06fc58b37
2017/11/03 05:53:36.741746 [DEBUG] (runner) was not watching 1 dependencies
2017/11/03 05:53:36.741767 [DEBUG] (watcher) adding vault.write(transit/decrypt/test -> c222c0a7)
2017/11/03 05:53:36.741785 [TRACE] (watcher) vault.write(transit/decrypt/test -> c222c0a7) starting
2017/11/03 05:53:36.741795 [DEBUG] (runner) diffing and updating dependencies
2017/11/03 05:53:36.741819 [DEBUG] (runner) file(./encrypted_file) is still needed
2017/11/03 05:53:36.741839 [DEBUG] (runner) vault.write(transit/decrypt/test -> 5dc441cc) is no longer needed
2017/11/03 05:53:36.741847 [DEBUG] (watcher) removing vault.write(transit/decrypt/test -> 5dc441cc)
2017/11/03 05:53:36.741854 [TRACE] (watcher) actually removing vault.write(transit/decrypt/test -> 5dc441cc)
2017/11/03 05:53:36.741875 [DEBUG] (runner) watching 2 dependencies
2017/11/03 05:53:36.741904 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) starting fetch
2017/11/03 05:53:36.741918 [TRACE] (view) vault.write(transit/decrypt/test -> 5dc441cc) stopping poll (received on view stopCh)
2017/11/03 05:53:36.741950 [TRACE] vault.write(transit/decrypt/test -> c222c0a7): PUT /v1/transit/decrypt/test?stale=true&wait=1m0s
2017/11/03 05:53:36.745560 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) marking successful data response
2017/11/03 05:53:36.745575 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) successful contact, resetting retries
2017/11/03 05:53:36.745582 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) received data
2017/11/03 05:53:36.745598 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) starting fetch
2017/11/03 05:53:36.745602 [DEBUG] (runner) receiving dependency vault.write(transit/decrypt/test -> c222c0a7)
2017/11/03 05:53:36.745612 [TRACE] vault.write(transit/decrypt/test -> c222c0a7): secret is not renewable, sleeping for 1m27.759213325s
2017/11/03 05:53:36.745616 [INFO] (runner) initiating run
2017/11/03 05:53:36.745626 [DEBUG] (runner) checking template d772b80722919b247fdb47c06fc58b37
2017/11/03 05:53:36.746039 [DEBUG] (runner) rendering "template.ctmpl" => "decrypted_file"
> decrypted_file



test data goes here


2017/11/03 05:53:36.746058 [INFO] (runner) rendered "template.ctmpl" => "decrypted_file"
2017/11/03 05:53:36.746061 [DEBUG] (runner) diffing and updating dependencies
2017/11/03 05:53:36.746064 [DEBUG] (runner) file(./encrypted_file) is still needed
2017/11/03 05:53:36.746067 [DEBUG] (runner) vault.write(transit/decrypt/test -> c222c0a7) is still needed
2017/11/03 05:53:36.746070 [DEBUG] (runner) watching 2 dependencies
2017/11/03 05:53:36.746072 [DEBUG] (runner) all templates rendered
2017/11/03 05:55:04.502982 [TRACE] vault.write(transit/decrypt/test -> c222c0a7): PUT /v1/transit/decrypt/test?index=1509688416&stale=true&wait=1m0s
2017/11/03 05:55:04.505765 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) marking successful data response
2017/11/03 05:55:04.505809 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) successful contact, resetting retries
2017/11/03 05:55:04.505822 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) received data
2017/11/03 05:55:04.505850 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) starting fetch
2017/11/03 05:55:04.505870 [TRACE] vault.write(transit/decrypt/test -> c222c0a7): secret is not renewable, sleeping for 1m8.4965748s
2017/11/03 05:55:04.505876 [DEBUG] (runner) receiving dependency vault.write(transit/decrypt/test -> c222c0a7)
2017/11/03 05:55:04.505897 [INFO] (runner) initiating run
2017/11/03 05:55:04.505910 [DEBUG] (runner) checking template d772b80722919b247fdb47c06fc58b37
2017/11/03 05:55:04.506330 [DEBUG] (runner) rendering "template.ctmpl" => "decrypted_file"
> decrypted_file



test data goes here


2017/11/03 05:55:04.506367 [INFO] (runner) rendered "template.ctmpl" => "decrypted_file"
2017/11/03 05:55:04.506371 [DEBUG] (runner) diffing and updating dependencies
2017/11/03 05:55:04.506377 [DEBUG] (runner) file(./encrypted_file) is still needed
2017/11/03 05:55:04.506382 [DEBUG] (runner) vault.write(transit/decrypt/test -> c222c0a7) is still needed
2017/11/03 05:55:04.506388 [DEBUG] (runner) watching 2 dependencies
2017/11/03 05:55:04.506392 [DEBUG] (runner) all templates rendered
2017/11/03 05:56:13.001315 [TRACE] vault.write(transit/decrypt/test -> c222c0a7): PUT /v1/transit/decrypt/test?index=1509688504&stale=true&wait=1m0s
2017/11/03 05:56:13.004116 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) marking successful data response
2017/11/03 05:56:13.004151 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) successful contact, resetting retries
2017/11/03 05:56:13.004160 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) received data
2017/11/03 05:56:13.004187 [TRACE] (view) vault.write(transit/decrypt/test -> c222c0a7) starting fetch
2017/11/03 05:56:13.004200 [TRACE] vault.write(transit/decrypt/test -> c222c0a7): secret is not renewable, sleeping for 1m9.313130734s
2017/11/03 05:56:13.004203 [DEBUG] (runner) receiving dependency vault.write(transit/decrypt/test -> c222c0a7)
2017/11/03 05:56:13.004239 [INFO] (runner) initiating run
2017/11/03 05:56:13.004245 [DEBUG] (runner) checking template d772b80722919b247fdb47c06fc58b37
2017/11/03 05:56:13.004672 [DEBUG] (runner) rendering "template.ctmpl" => "decrypted_file"
> decrypted_file



test data goes here


2017/11/03 05:56:13.004714 [INFO] (runner) rendered "template.ctmpl" => "decrypted_file"
2017/11/03 05:56:13.004718 [DEBUG] (runner) diffing and updating dependencies
2017/11/03 05:56:13.004725 [DEBUG] (runner) file(./encrypted_file) is still needed
2017/11/03 05:56:13.004730 [DEBUG] (runner) vault.write(transit/decrypt/test -> c222c0a7) is still needed
2017/11/03 05:56:13.004736 [DEBUG] (runner) watching 2 dependencies
2017/11/03 05:56:13.004740 [DEBUG] (runner) all templates rendered

[sethvargo]

Hmm I see. Consul Template wasn't really designed to work with the transit backend - more the dynamic secrets backends (like database) and the static secret (secret/). I'll take a look at this and see what we can do.

Also, you can set the initial root token via -dev-root-token-id or VAULT_DEV_ROOT_TOKEN_ID to a predictable value:

$  docker run -d --name vaultdev -p 8200:8200 vault:0.8.3 -dev-root-token-id="root"

[pearkes]

Given we haven't heard anything based on our suggestions/questions above I'm going to close this issue, but I encourage you to comment and we can re-open it if you want to pick this up again.

Alternatively, if things have changed dramatically, feel free to create a new issue or PR.