Merge pull request #3360 from hashicorp/f-consul-template

Use Vault default grace
hashicorp · Oct 12, 2017 · b1e67a4 · b1e67a4
2 parents 980d833 + 5fdadc9
commit b1e67a4
Show file tree

Hide file tree

Showing 7 changed files with 54 additions and 30 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -38,6 +38,8 @@ BUG FIXES:
  * driver/docker: Fix docker user specified syslogging [GH-3184]
  * driver/docker: Fix issue where CPU usage statistics were artificially high
    [GH-3229]
+ * client/template: Fix issue in which secrets would be renewed too aggressively
+   [GH-3360]
 
 ## 0.6.3 (September 11, 2017)
 

diff --git a/api/jobs_test.go b/api/jobs_test.go
@@ -396,7 +396,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 										LeftDelim:    helper.StringToPtr("{{"),
 										RightDelim:   helper.StringToPtr("}}"),
 										Envvars:      helper.BoolToPtr(false),
-										VaultGrace:   helper.TimeToPtr(5 * time.Minute),
+										VaultGrace:   helper.TimeToPtr(15 * time.Second),
 									},
 									{
 										SourcePath:   helper.StringToPtr(""),

diff --git a/api/tasks.go b/api/tasks.go
@@ -485,7 +485,7 @@ func (tmpl *Template) Canonicalize() {
 		tmpl.Envvars = helper.BoolToPtr(false)
 	}
 	if tmpl.VaultGrace == nil {
-		tmpl.VaultGrace = helper.TimeToPtr(5 * time.Minute)
+		tmpl.VaultGrace = helper.TimeToPtr(15 * time.Second)
 	}
 }
 

diff --git a/vendor/github.com/hashicorp/consul-template/config/vault.go b/vendor/github.com/hashicorp/consul-template/config/vault.go
diff --git a/vendor/github.com/hashicorp/consul-template/manager/runner.go b/vendor/github.com/hashicorp/consul-template/manager/runner.go
diff --git a/vendor/vendor.json b/vendor/vendor.json
@@ -709,44 +709,44 @@
 		{
 			"checksumSHA1": "Nu2j1GusM7ZH0uYrGzqr1K7yH7I=",
 			"path": "github.com/hashicorp/consul-template/child",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
-			"checksumSHA1": "lemUzh6uQDMxuvTT/BREYdGcS0U=",
+			"checksumSHA1": "nkbwT6jsnaXDiXrJFjCge9W5ULo=",
 			"path": "github.com/hashicorp/consul-template/config",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
 			"checksumSHA1": "ki5mjKALz3JrAee3mYUNl8pFJnU=",
 			"path": "github.com/hashicorp/consul-template/dependency",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
-			"checksumSHA1": "ZuqKmrZAWgHbWGGt1e9RAMZ4wvs=",
+			"checksumSHA1": "yXXJXYYs/OPVJW2ErBiQVaLxSt0=",
 			"path": "github.com/hashicorp/consul-template/manager",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
 			"checksumSHA1": "YSEUV/9/k85XciRKu0cngxdjZLE=",
 			"path": "github.com/hashicorp/consul-template/signals",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
 			"checksumSHA1": "zSvJlNfZS3fCRlFaZ7r9Q+N17T8=",
 			"path": "github.com/hashicorp/consul-template/template",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
 			"checksumSHA1": "b4+Y+02pY2Y5620F9ALzKg8Zmdw=",
 			"path": "github.com/hashicorp/consul-template/watch",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
 			"checksumSHA1": "jfELEMRhiTcppZmRH+ZwtkVS5Uw=",

diff --git a/website/source/docs/job-specification/template.html.md b/website/source/docs/job-specification/template.html.md
@@ -94,14 +94,19 @@ README][ct]. Since Nomad v0.6.0, templates can be read as environment variables.
   prevent a thundering herd problem where all task instances restart at the same
   time.
 
-- `vault_grace` `(string: "5m")` - Specifies the grace period between lease
-  renewal and secret re-acquisition. When renewing a secret, if the remaining
-  lease is less than or equal to the configured grace, the template will request
-  a new credential. This prevents Vault from revoking the secret at its
-  expiration and the task having a stale secret. If the grace is set to a value
-  that is higher than your default TTL or max TTL, the template will always read
-  a new secret. If the task defines several templates, the `vault_grace` will be
-  set to the lowest value across all the templates.
+-   `vault_grace` `(string: "5m")` - Specifies the grace period between lease
+    renewal and secret re-acquisition. When renewing a secret, if the remaining
+    lease is less than or equal to the configured grace, the template will request
+    a new credential. This prevents Vault from revoking the secret at its
+    expiration and the task having a stale secret.
+
+    If the grace is set to a value that is higher than your default TTL or max
+    TTL, the template will always read a new secret. **If secrets are being
+    renewed constantly, increase the `vault_grace`.**
+
+    If the task defines several templates, the `vault_grace` will be set to the
+    lowest value across all the templates.
+
 
 ## `template` Examples