From 081389efa36c2730005fbe7b63dc97ecda5f3515 Mon Sep 17 00:00:00 2001 From: Kevin Schoonover Date: Thu, 1 Feb 2024 19:14:16 -0800 Subject: [PATCH 1/5] set certificate renewal threshold based on VaultLeaseRenewalThreshold --- dependency/vault_pki.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/dependency/vault_pki.go b/dependency/vault_pki.go index 15d58e641..0f880713e 100644 --- a/dependency/vault_pki.go +++ b/dependency/vault_pki.go @@ -127,9 +127,12 @@ func goodFor(cert *x509.Certificate) (time.Duration, bool) { lifespanDur := end.Sub(start) r := rand.New(rand.NewSource(time.Now().UnixNano())) lifespanMilliseconds := lifespanDur.Milliseconds() - // calculate the 'time the certificate should be rotated' by figuring out - // 87-93% of the lifespan and adding it to the start - rotationTime := start.Add(time.Millisecond * time.Duration(((lifespanMilliseconds*9)/10)+(lifespanMilliseconds*int64(r.Intn(6)-3))/100)) + // calculate the 'time the certificate should be rotated' by figuring out -2% + // - 3% + VaultLeaseRenewalThreshold of the lifespan and adding it to the + // start + rotationTime := start.Add(time.Millisecond * time.Duration( + float64(lifespanMilliseconds)*VaultLeaseRenewalThreshold+float64(lifespanMilliseconds*(int64(r.Intn(6)-3)/100.0)), + )) // after we have the 'time the certificate should be rotated', figure out how // far it is from now to sleep From e971ed0dde8c286601369c900161ca4db3a38969 Mon Sep 17 00:00:00 2001 From: Kevin Schoonover Date: Fri, 19 Apr 2024 22:47:32 -0700 Subject: [PATCH 2/5] allow vault ttl to be configured by VaultLeaseRenewalThreshold --- dependency/vault_pki_test.go | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/dependency/vault_pki_test.go b/dependency/vault_pki_test.go index 528d0960f..3c1eca21d 100644 --- a/dependency/vault_pki_test.go +++ b/dependency/vault_pki_test.go @@ -10,7 +10,6 @@ import ( "crypto/x509" "crypto/x509/pkix" "errors" - "fmt" "os" "strings" "testing" @@ -20,6 +19,11 @@ import ( "github.com/hashicorp/vault/api" ) +func init() { + VaultDefaultLeaseDuration = 0 + VaultLeaseRenewalThreshold = .90 +} + func Test_VaultPKI_uniqueID(t *testing.T) { d1, _ := NewVaultPKIQuery("pki/issue/example-dot-com", "/unique_1", nil) id1 := d1.String() @@ -84,8 +88,7 @@ func Test_VaulkPKI_goodFor(t *testing.T) { ratio := dur.Seconds() / (NotAfter.Sub(NotBefore).Seconds()) // allow for a .01 epsilon for floating point comparison to prevent flakey tests - if ratio < .86 || ratio > .94 { - fmt.Println(ratio) + if ratio < (VaultLeaseRenewalThreshold-.04) || ratio > (VaultLeaseRenewalThreshold+.04) { t.Errorf( "%v: should be between 87 and 93, but was %.2f. NotBefore: %s, NotAfter: %s", name, @@ -242,7 +245,9 @@ func Test_VaultPKI_refetch(t *testing.T) { // forcefully wait the longest the certificate could be good force to ensure // goodFor will always return needs renewal <-d.sleepCh - time.Sleep(time.Millisecond * time.Duration(((ttlDuration.Milliseconds()*9)/10)+(ttlDuration.Milliseconds()*int64(3)/100))) + time.Sleep(time.Millisecond * time.Duration( + float64(ttlDuration.Milliseconds())*VaultLeaseRenewalThreshold+float64(ttlDuration.Milliseconds()*(int64(4)/100.0)), + )) act3, rm, err := d.Fetch(clients, nil) if err != nil { t.Fatal(err) From 610511fdeeb22b0f4e042d140288b5c5ada141d8 Mon Sep 17 00:00:00 2001 From: Kevin Schoonover Date: Tue, 23 Apr 2024 22:48:34 -0700 Subject: [PATCH 3/5] fix lint --- dependency/vault_pki.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dependency/vault_pki.go b/dependency/vault_pki.go index 0f880713e..7103045f1 100644 --- a/dependency/vault_pki.go +++ b/dependency/vault_pki.go @@ -127,7 +127,7 @@ func goodFor(cert *x509.Certificate) (time.Duration, bool) { lifespanDur := end.Sub(start) r := rand.New(rand.NewSource(time.Now().UnixNano())) lifespanMilliseconds := lifespanDur.Milliseconds() - // calculate the 'time the certificate should be rotated' by figuring out -2% + // calculate the 'time the certificate should be rotated' by figuring out -3% // - 3% + VaultLeaseRenewalThreshold of the lifespan and adding it to the // start rotationTime := start.Add(time.Millisecond * time.Duration( @@ -136,7 +136,7 @@ func goodFor(cert *x509.Certificate) (time.Duration, bool) { // after we have the 'time the certificate should be rotated', figure out how // far it is from now to sleep - sleepFor := time.Duration(rotationTime.Sub(now)) + sleepFor := rotationTime.Sub(now) if sleepFor <= 0 { return 0, false } From e5ff6ee6da0e16b8b8504d2ff1a0eda55ec5608e Mon Sep 17 00:00:00 2001 From: Kevin Schoonover Date: Wed, 24 Apr 2024 22:48:41 -0700 Subject: [PATCH 4/5] Update vault_pki.go --- dependency/vault_pki.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency/vault_pki.go b/dependency/vault_pki.go index 7103045f1..330e9e2ac 100644 --- a/dependency/vault_pki.go +++ b/dependency/vault_pki.go @@ -128,7 +128,7 @@ func goodFor(cert *x509.Certificate) (time.Duration, bool) { r := rand.New(rand.NewSource(time.Now().UnixNano())) lifespanMilliseconds := lifespanDur.Milliseconds() // calculate the 'time the certificate should be rotated' by figuring out -3% - // - 3% + VaultLeaseRenewalThreshold of the lifespan and adding it to the + // - 2% + VaultLeaseRenewalThreshold of the lifespan and adding it to the // start rotationTime := start.Add(time.Millisecond * time.Duration( float64(lifespanMilliseconds)*VaultLeaseRenewalThreshold+float64(lifespanMilliseconds*(int64(r.Intn(6)-3)/100.0)), From 9fc4507b52b044738981197abd9381a5614ee480 Mon Sep 17 00:00:00 2001 From: divyaac Date: Fri, 26 Apr 2024 11:46:30 -0700 Subject: [PATCH 5/5] Change comment --- dependency/vault_pki.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency/vault_pki.go b/dependency/vault_pki.go index 330e9e2ac..8bfdab311 100644 --- a/dependency/vault_pki.go +++ b/dependency/vault_pki.go @@ -128,7 +128,7 @@ func goodFor(cert *x509.Certificate) (time.Duration, bool) { r := rand.New(rand.NewSource(time.Now().UnixNano())) lifespanMilliseconds := lifespanDur.Milliseconds() // calculate the 'time the certificate should be rotated' by figuring out -3% - // - 2% + VaultLeaseRenewalThreshold of the lifespan and adding it to the + // +3% + VaultLeaseRenewalThreshold of the lifespan and adding it to the // start rotationTime := start.Add(time.Millisecond * time.Duration( float64(lifespanMilliseconds)*VaultLeaseRenewalThreshold+float64(lifespanMilliseconds*(int64(r.Intn(6)-3)/100.0)),