From e6cc20d1e7f26c943b9f868c0cbb0ddebc1d044d Mon Sep 17 00:00:00 2001 From: Vishal Nayak Date: Wed, 18 Apr 2018 13:09:55 -0400 Subject: [PATCH] phys/consul: Allow tuning of session ttl and lock wait time (#4352) * phys/consul: allow tuning of session ttl and lock wait time * use parseutil * udpate docs --- physical/consul/consul.go | 35 ++++++++++++++++++- .../docs/configuration/storage/consul.html.md | 11 ++++++ 2 files changed, 45 insertions(+), 1 deletion(-) diff --git a/physical/consul/consul.go b/physical/consul/consul.go index 2df180aaaf10..9f0beb364183 100644 --- a/physical/consul/consul.go +++ b/physical/consul/consul.go @@ -99,6 +99,9 @@ type ConsulBackend struct { notifyActiveCh chan notifyEvent notifySealedCh chan notifyEvent + + sessionTTL string + lockWaitTime time.Duration } // NewConsulBackend constructs a Consul backend using the given API client @@ -168,7 +171,7 @@ func NewConsulBackend(conf map[string]string, logger log.Logger) (physical.Backe checkTimeout := defaultCheckTimeout checkTimeoutStr, ok := conf["check_timeout"] if ok { - d, err := time.ParseDuration(checkTimeoutStr) + d, err := parseutil.ParseDurationSecond(checkTimeoutStr) if err != nil { return nil, err } @@ -184,6 +187,32 @@ func NewConsulBackend(conf map[string]string, logger log.Logger) (physical.Backe } } + sessionTTL := api.DefaultLockSessionTTL + sessionTTLStr, ok := conf["session_ttl"] + if ok { + _, err := parseutil.ParseDurationSecond(sessionTTLStr) + if err != nil { + return nil, errwrap.Wrapf("invalid session_ttl: {{err}}", err) + } + sessionTTL = sessionTTLStr + if logger.IsDebug() { + logger.Debug("config session_ttl set", "session_ttl", sessionTTL) + } + } + + lockWaitTime := api.DefaultLockWaitTime + lockWaitTimeRaw, ok := conf["lock_wait_time"] + if ok { + d, err := parseutil.ParseDurationSecond(lockWaitTimeRaw) + if err != nil { + return nil, errwrap.Wrapf("invalid lock_wait_time: {{err}}", err) + } + lockWaitTime = d + if logger.IsDebug() { + logger.Debug("config lock_wait_time set", "lock_wait_time", d) + } + } + // Configure the client consulConf := api.DefaultConfig() // Set MaxIdleConnsPerHost to the number of processes used in expiration.Restore @@ -263,6 +292,8 @@ func NewConsulBackend(conf map[string]string, logger log.Logger) (physical.Backe consistencyMode: consistencyMode, notifyActiveCh: make(chan notifyEvent), notifySealedCh: make(chan notifyEvent), + sessionTTL: sessionTTL, + lockWaitTime: lockWaitTime, } return c, nil } @@ -466,6 +497,8 @@ func (c *ConsulBackend) LockWith(key, value string) (physical.Lock, error) { Value: []byte(value), SessionName: "Vault Lock", MonitorRetries: 5, + SessionTTL: c.sessionTTL, + LockWaitTime: c.lockWaitTime, } lock, err := c.client.LockOpts(opts) if err != nil { diff --git a/website/source/docs/configuration/storage/consul.html.md b/website/source/docs/configuration/storage/consul.html.md index 9e10687ac437..e95ad0d29928 100644 --- a/website/source/docs/configuration/storage/consul.html.md +++ b/website/source/docs/configuration/storage/consul.html.md @@ -98,6 +98,16 @@ at Consul's service discovery layer. permission to read and write from the `path` in Consul's key-value store. This is **not** a Vault token. See the ACL section below for help. +- `session_ttl` `(string: "15s")` - Specifies the minimum allowed [session + TTL][consul-session-ttl]. Consul server has a lower limit of 10s on the + session TTL by default. The value of `session_ttl` here cannot be lesser than + 10s unless the `session_ttl_min` on the consul server's configuration has a + lesser value. + +- `lock_wait_time` `(string: "15s")` - Specifies the wait time before a lock + lock acquisition is made. This affects the minimum time it takes to cancel a + lock acquisition. + The following settings apply when communicating with Consul via an encrypted connection. You can read more about encrypting Consul connections on the [Consul encryption page][consul-encryption]. @@ -225,3 +235,4 @@ storage "consul" { [consul-consistency]: https://www.consul.io/api/index.html#consistency-modes "Consul Consistency Modes" [consul-encryption]: https://www.consul.io/docs/agent/encryption.html "Consul Encryption" [consul-translate-wan-addrs]: https://www.consul.io/docs/agent/options.html#translate_wan_addrs "Consul Configuration" +[consul-session-ttl]: https://www.consul.io/docs/agent/options.html#session_ttl_min "Consul Configuration"