-
Notifications
You must be signed in to change notification settings - Fork 32
/
Copy pathvault_renewal.go
146 lines (120 loc) · 5.07 KB
/
vault_renewal.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package main
import (
"context"
"fmt"
"log"
vault "github.com/hashicorp/vault/api"
)
// Once you've set the token for your Vault client, you will need to
// periodically renew it. Likewise, the database credentials lease will expire
// at some point and also needs to be renewed periodically.
//
// A function like this one should be run as a goroutine to avoid blocking.
// Production applications may also need to be more tolerant of failures and
// retry on errors rather than exiting.
//
// Additionally, enterprise Vault users should be aware that due to eventual
// consistency, the API may return unexpected errors when running Vault with
// performance standbys or performance replication, despite the client having
// a freshly renewed token. See the link below for several ways to mitigate
// this which are outside the scope of this code sample.
//
// ref: https://www.vaultproject.io/docs/enterprise/consistency#vault-1-7-mitigations
func (v *Vault) PeriodicallyRenewLeases(
ctx context.Context,
authToken *vault.Secret,
databaseCredentialsLease *vault.Secret,
databaseReconnectFunc func(ctx context.Context, credentials DatabaseCredentials) error,
) {
/* */ log.Println("renew / recreate secrets loop: begin")
defer log.Println("renew / recreate secrets loop: end")
currentAuthToken := authToken
currentDatabaseCredentialsLease := databaseCredentialsLease
for {
renewed, err := v.renewLeases(ctx, currentAuthToken, currentDatabaseCredentialsLease)
if err != nil {
log.Fatalf("renew error: %v", err) // simplified error handling
}
if renewed&exitRequested != 0 {
return
}
if renewed&expiringAuthToken != 0 {
log.Printf("auth token: can no longer be renewed; will log in again")
authToken, err := v.login(ctx)
if err != nil {
log.Fatalf("login authentication error: %v", err) // simplified error handling
}
currentAuthToken = authToken
}
if renewed&expiringDatabaseCredentialsLease != 0 {
log.Printf("database credentials: can no longer be renewed; will fetch new credentials & reconnect")
databaseCredentials, databaseCredentialsLease, err := v.GetDatabaseCredentials(ctx)
if err != nil {
log.Fatalf("database credentials error: %v", err) // simplified error handling
}
if err := databaseReconnectFunc(ctx, databaseCredentials); err != nil {
log.Fatalf("database connection error: %v", err) // simplified error handling
}
currentDatabaseCredentialsLease = databaseCredentialsLease
}
}
}
// renewResult is a bitmask which could contain one or more of the values below
type renewResult uint8
const (
renewError renewResult = 1 << iota
exitRequested
expiringAuthToken // will be revoked soon
expiringDatabaseCredentialsLease // will be revoked soon
)
// renewLeases is a blocking helper function that uses LifetimeWatcher
// instances to periodically renew the given secrets when they are close to
// their 'token_ttl' expiration times until one of the secrets is close to its
// 'token_max_ttl' lease expiration time.
func (v *Vault) renewLeases(ctx context.Context, authToken, databaseCredentialsLease *vault.Secret) (renewResult, error) {
/* */ log.Println("renew cycle: begin")
defer log.Println("renew cycle: end")
// auth token
authTokenWatcher, err := v.client.NewLifetimeWatcher(&vault.LifetimeWatcherInput{
Secret: authToken,
})
if err != nil {
return renewError, fmt.Errorf("unable to initialize auth token lifetime watcher: %w", err)
}
go authTokenWatcher.Start()
defer authTokenWatcher.Stop()
// database credentials
databaseCredentialsWatcher, err := v.client.NewLifetimeWatcher(&vault.LifetimeWatcherInput{
Secret: databaseCredentialsLease,
})
if err != nil {
return renewError, fmt.Errorf("unable to initialize database credentials lifetime watcher: %w", err)
}
go databaseCredentialsWatcher.Start()
defer databaseCredentialsWatcher.Stop()
// monitor events from both watchers
for {
select {
case <-ctx.Done():
return exitRequested, nil
// DoneCh will return if renewal fails, or if the remaining lease
// duration is under a built-in threshold and either renewing is not
// extending it or renewing is disabled. In both cases, the caller
// should attempt a re-read of the secret. Clients should check the
// return value of the channel to see if renewal was successful.
case err := <-authTokenWatcher.DoneCh():
// Leases created by a token get revoked when the token is revoked.
return expiringAuthToken | expiringDatabaseCredentialsLease, err
case err := <-databaseCredentialsWatcher.DoneCh():
return expiringDatabaseCredentialsLease, err
// RenewCh is a channel that receives a message when a successful
// renewal takes place and includes metadata about the renewal.
case info := <-authTokenWatcher.RenewCh():
log.Printf("auth token: successfully renewed; remaining duration: %ds", info.Secret.Auth.LeaseDuration)
case info := <-databaseCredentialsWatcher.RenewCh():
log.Printf("database credentials: successfully renewed; remaining lease duration: %ds", info.Secret.LeaseDuration)
}
}
}