Skip to content

Commit

Permalink
vault: renew token earlier
Browse files Browse the repository at this point in the history
This commit changes the Vault token renewal logic to renew
a token earlier than 10s before it expires. Now, if the token
has a TTL > than 1m (or 30s) the token is renewed 1m (or 30s)
before it expires.

This commit also adds a `context.Context` to the Vault authentication
function.

Signed-off-by: Andreas Auernhammer <[email protected]>
  • Loading branch information
aead committed Aug 22, 2024
1 parent 0d1464e commit a2d46c2
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 12 deletions.
22 changes: 11 additions & 11 deletions internal/keystore/vault/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ func (c *client) CheckStatus(ctx context.Context, delay time.Duration) {
//
// To renew the auth. token see: client.RenewToken(...).
func (c *client) AuthenticateWithAppRole(login *AppRole) authFunc {
return func() (*vaultapi.Secret, error) {
return func(ctx context.Context) (*vaultapi.Secret, error) {
client := c.Client
switch {
case login.Namespace == "/": // Treat '/' as the root namespace
Expand All @@ -79,7 +79,7 @@ func (c *client) AuthenticateWithAppRole(login *AppRole) authFunc {
client = client.WithNamespace(login.Namespace)
}

secret, err := client.Logical().Write(path.Join("auth", login.Engine, "login"), map[string]interface{}{
secret, err := client.Logical().WriteWithContext(ctx, path.Join("auth", login.Engine, "login"), map[string]interface{}{
"role_id": login.ID,
"secret_id": login.Secret,
})
Expand All @@ -95,7 +95,7 @@ func (c *client) AuthenticateWithAppRole(login *AppRole) authFunc {
}

func (c *client) AuthenticateWithK8S(login *Kubernetes) authFunc {
return func() (*vaultapi.Secret, error) {
return func(ctx context.Context) (*vaultapi.Secret, error) {
client := c.Client
switch {
case login.Namespace == "/": // Treat '/' as the root namespace
Expand All @@ -104,7 +104,7 @@ func (c *client) AuthenticateWithK8S(login *Kubernetes) authFunc {
client = client.WithNamespace(login.Namespace)
}

secret, err := client.Logical().Write(path.Join("auth", login.Engine, "login"), map[string]interface{}{
secret, err := client.Logical().WriteWithContext(ctx, path.Join("auth", login.Engine, "login"), map[string]interface{}{
"role": login.Role,
"jwt": login.JWT,
})
Expand All @@ -124,7 +124,7 @@ func (c *client) AuthenticateWithK8S(login *Kubernetes) authFunc {
// It returns a secret with a Vault authentication token
// and its time-to-live (TTL) or an error explaining why
// the authentication attempt failed.
type authFunc func() (*vaultapi.Secret, error)
type authFunc func(context.Context) (*vaultapi.Secret, error)

// RenewToken tries to renew the Vault auth token periodically
// based on its TTL. If TTL is zero, RenewToken returns early
Expand Down Expand Up @@ -167,10 +167,10 @@ func (c *client) RenewToken(ctx context.Context, authenticate authFunc, secret *
continue
}

// We renew the token right before it expires.
renewIn := ttl
if renewIn > 10*time.Second {
renewIn = ttl - 10*time.Second
// We renew the token after 80% of its TTL has passed.
renewIn := 80 * (ttl / 100)
if renewIn < time.Second {
renewIn = time.Second
}

timer := time.NewTimer(renewIn)
Expand All @@ -192,10 +192,10 @@ func (c *client) RenewToken(ctx context.Context, authenticate authFunc, secret *
}
}
if secret == nil {
secret, _ = authenticate()
secret, _ = authenticate(ctx)
}
} else {
secret, _ = authenticate()
secret, _ = authenticate(ctx)
}

if secret != nil {
Expand Down
2 changes: 1 addition & 1 deletion internal/keystore/vault/vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ func Connect(ctx context.Context, c *Config) (*Store, error) {
authenticate = client.AuthenticateWithK8S(c.K8S)
}

auth, err := authenticate()
auth, err := authenticate(ctx)
if err != nil {
return nil, err
}
Expand Down

0 comments on commit a2d46c2

Please sign in to comment.