You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vitess is unable to request a new Vault (approle) token after the initial token reaches max number of renewals.
On vttablet startup, Vitess is able to request a Vault token using the supplied approle role-id/secret-id combo. The token given has a lease TTL of 2hrs and max-lease TTL of 24h.
Currently, Vitess is unable to determine it has reached max renewal attempts, after which it should relogin against Vault and request a new token.
This currently causes it to not be able fetch the vttablet-credentials at the set polling interval.
Reproduction Steps
Launch any vttablet that uses vault for the credentials-server
With VAULT_ROLEID and VAULT_SECRETID env variables passed.
Binary Version
vttablet --version
Version: 16.0.3 (Git revision a93cb55331d63eeb4a0dc6ed1b5f98429c350f04 branch 'heads/v16.0.3') built on Thu Sep 12 20:35:55 UTC 2024 by root@buildkitsandbox using go1.20.5 linux/amd64
@flopex this is something where it will be nice if you can propose a fix via PR. The maintainer team is not setup to debug and test vault authentication.
Overview of the Issue
Vitess is unable to request a new Vault (approle) token after the initial token reaches max number of renewals.
On vttablet startup, Vitess is able to request a Vault token using the supplied approle role-id/secret-id combo. The token given has a lease TTL of 2hrs and max-lease TTL of 24h.
Currently, Vitess is unable to determine it has reached max renewal attempts, after which it should relogin against Vault and request a new token.
This currently causes it to not be able fetch the vttablet-credentials at the set polling interval.
Reproduction Steps
Launch any vttablet that uses vault for the credentials-server
With
VAULT_ROLEID
andVAULT_SECRETID
env variables passed.Binary Version
vttablet --version Version: 16.0.3 (Git revision a93cb55331d63eeb4a0dc6ed1b5f98429c350f04 branch 'heads/v16.0.3') built on Thu Sep 12 20:35:55 UTC 2024 by root@buildkitsandbox using go1.20.5 linux/amd64
Operating System and Environment details
Log Fragments
vttablet log for token renewal fail: https://gist.github.com/flopex/33018e8ba15c7d11a8a8b7f12cfb2a32
The text was updated successfully, but these errors were encountered: