-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token not renew after max-ttl reached #711
Comments
Let's sort things a bit first. You're talking about reaching max-ttl and re-login. Do I understand correctly that the login token has expired and that has revoked all associated leases? If so, we addressed that scenario with #698. Right now, the fix is only available in the current release candidate which you could test against (4.1.0-RC1), the GA release follows by next week. |
That's a good question! I'm mixing in my head a little of all authentication kinds. Currently, I have no max-ttl on the kubernetes login. However, in my database secret, the role has a ttl of 1h and a max-ttl of 24h. |
If the expiry isn't caused by the expiring login, I strongly recommend using a higher min-renewal timeout. It defaults to 10 seconds but that can become an issue if GC and latency are involved. As this ticket isn't actionable, I'm going to close it. |
@mp911de I’m sorry, I don’t understand you’re answer. Does it mean that the lib won’t support any other expiration than the login one? So the lease expiration won’t be supported ? |
Spring Vault considers a lease expired if the remaining lease time is below In your example above, 40 seconds were above the 10 second limit. But because the login token expired, the old version didn't re-request a new lease. The upcoming 4.1.0 GA release will address the re-acquisition of a new lease. |
Describe the bug
When max-ttl is reached within vault, the token ttl is shortened (Vault indicate with a warning of the kind "TTL of "50s" exceeded the effective max_ttl of "40s"; TTL value is capped accordingly".
After that, the app tries once more to renew the token using "sys/leases/renew" path, but get an error this time as lease has expired and has been deleted (with error "lease renewal failed:
lease_id=database/dev/trace/mariadb/creds/certification-readwrite/lxWq6KOj9PO67KIn3PnCxTi8 error="lease not found"
).On Spring side, the stacktrace is:
After that nothing more happens. From what I've read from different issues and from comment in log, Spring Vault is supposed to login again, but that's not what is happening in my case.
Sample
We are in a Kubernetes cluster with a Vault and our app deployed inside. The Kubernetes token was well renewed inside the pod.
The error is on mariadb database credentials access, the lease has expired and user is deleted from the database. So the app cannot access database anymore.
The text was updated successfully, but these errors were encountered: