diff --git a/CHANGELOG.md b/CHANGELOG.md index 339a9f64c378..638252a84d4d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,8 @@ BUG FIXES: * driver/docker: Fix docker user specified syslogging [GH-3184] * driver/docker: Fix issue where CPU usage statistics were artificially high [GH-3229] + * client/template: Fix issue in which secrets would be renewed too aggressively + [GH-3360] ## 0.6.3 (September 11, 2017) diff --git a/api/jobs_test.go b/api/jobs_test.go index b09fde60e932..6370ae2f1118 100644 --- a/api/jobs_test.go +++ b/api/jobs_test.go @@ -396,7 +396,7 @@ func TestJobs_Canonicalize(t *testing.T) { LeftDelim: helper.StringToPtr("{{"), RightDelim: helper.StringToPtr("}}"), Envvars: helper.BoolToPtr(false), - VaultGrace: helper.TimeToPtr(5 * time.Minute), + VaultGrace: helper.TimeToPtr(15 * time.Second), }, { SourcePath: helper.StringToPtr(""), diff --git a/api/tasks.go b/api/tasks.go index 3233c9963850..853df741826d 100644 --- a/api/tasks.go +++ b/api/tasks.go @@ -485,7 +485,7 @@ func (tmpl *Template) Canonicalize() { tmpl.Envvars = helper.BoolToPtr(false) } if tmpl.VaultGrace == nil { - tmpl.VaultGrace = helper.TimeToPtr(5 * time.Minute) + tmpl.VaultGrace = helper.TimeToPtr(15 * time.Second) } } diff --git a/vendor/github.com/hashicorp/consul-template/config/vault.go b/vendor/github.com/hashicorp/consul-template/config/vault.go index 6a051c0a41b7..c5c1b32f2cd0 100644 --- a/vendor/github.com/hashicorp/consul-template/config/vault.go +++ b/vendor/github.com/hashicorp/consul-template/config/vault.go @@ -9,9 +9,9 @@ import ( const ( // DefaultVaultGrace is the default grace period before which to read a new - // secret from Vault. If a lease is due to expire in 5 minutes, Consul + // secret from Vault. If a lease is due to expire in 15 seconds, Consul // Template will read a new secret at that time minus this value. - DefaultVaultGrace = 5 * time.Minute + DefaultVaultGrace = 15 * time.Second // DefaultVaultRenewToken is the default value for if the Vault token should // be renewed. diff --git a/vendor/github.com/hashicorp/consul-template/manager/runner.go b/vendor/github.com/hashicorp/consul-template/manager/runner.go index bb31b3138b56..f22f38f5e639 100644 --- a/vendor/github.com/hashicorp/consul-template/manager/runner.go +++ b/vendor/github.com/hashicorp/consul-template/manager/runner.go @@ -42,7 +42,8 @@ type Runner struct { dry, once bool // outStream and errStream are the io.Writer streams where the runner will - // write information. + // write information. These can be modified by calling SetOutStream and + // SetErrStream accordingly. // inStream is the ioReader where the runner will read information. outStream, errStream io.Writer @@ -951,7 +952,13 @@ func (r *Runner) allTemplatesRendered() bool { for _, tmpl := range r.templates { event, rendered := r.renderEvents[tmpl.ID()] - if !rendered || !event.DidRender { + if !rendered { + return false + } + + // The template might already exist on disk with the exact contents, but + // we still want to count that as "rendered" [GH-1000]. + if !event.DidRender && !event.WouldRender { return false } } @@ -1062,6 +1069,16 @@ func (r *Runner) deletePid() error { return nil } +// SetOutStream modifies runner output stream. Defaults to stdout. +func (r *Runner) SetOutStream(out io.Writer) { + r.outStream = out +} + +// SetErrStream modifies runner error stream. Defaults to stderr. +func (r *Runner) SetErrStream(err io.Writer) { + r.errStream = err +} + // spawnChildInput is used as input to spawn a child process. type spawnChildInput struct { Stdin io.Reader diff --git a/vendor/vendor.json b/vendor/vendor.json index f505fa15aa14..44a0f0159c1e 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -709,44 +709,44 @@ { "checksumSHA1": "Nu2j1GusM7ZH0uYrGzqr1K7yH7I=", "path": "github.com/hashicorp/consul-template/child", - "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", - "revisionTime": "2017-09-01T21:49:09Z" + "revision": "16b6f8c417d88c88e9b88af6235da2582397c709", + "revisionTime": "2017-10-03T21:31:50Z" }, { - "checksumSHA1": "lemUzh6uQDMxuvTT/BREYdGcS0U=", + "checksumSHA1": "nkbwT6jsnaXDiXrJFjCge9W5ULo=", "path": "github.com/hashicorp/consul-template/config", - "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", - "revisionTime": "2017-09-01T21:49:09Z" + "revision": "16b6f8c417d88c88e9b88af6235da2582397c709", + "revisionTime": "2017-10-03T21:31:50Z" }, { "checksumSHA1": "ki5mjKALz3JrAee3mYUNl8pFJnU=", "path": "github.com/hashicorp/consul-template/dependency", - "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", - "revisionTime": "2017-09-01T21:49:09Z" + "revision": "16b6f8c417d88c88e9b88af6235da2582397c709", + "revisionTime": "2017-10-03T21:31:50Z" }, { - "checksumSHA1": "ZuqKmrZAWgHbWGGt1e9RAMZ4wvs=", + "checksumSHA1": "yXXJXYYs/OPVJW2ErBiQVaLxSt0=", "path": "github.com/hashicorp/consul-template/manager", - "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", - "revisionTime": "2017-09-01T21:49:09Z" + "revision": "16b6f8c417d88c88e9b88af6235da2582397c709", + "revisionTime": "2017-10-03T21:31:50Z" }, { "checksumSHA1": "YSEUV/9/k85XciRKu0cngxdjZLE=", "path": "github.com/hashicorp/consul-template/signals", - "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", - "revisionTime": "2017-09-01T21:49:09Z" + "revision": "16b6f8c417d88c88e9b88af6235da2582397c709", + "revisionTime": "2017-10-03T21:31:50Z" }, { "checksumSHA1": "zSvJlNfZS3fCRlFaZ7r9Q+N17T8=", "path": "github.com/hashicorp/consul-template/template", - "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", - "revisionTime": "2017-09-01T21:49:09Z" + "revision": "16b6f8c417d88c88e9b88af6235da2582397c709", + "revisionTime": "2017-10-03T21:31:50Z" }, { "checksumSHA1": "b4+Y+02pY2Y5620F9ALzKg8Zmdw=", "path": "github.com/hashicorp/consul-template/watch", - "revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d", - "revisionTime": "2017-09-01T21:49:09Z" + "revision": "16b6f8c417d88c88e9b88af6235da2582397c709", + "revisionTime": "2017-10-03T21:31:50Z" }, { "checksumSHA1": "jfELEMRhiTcppZmRH+ZwtkVS5Uw=", diff --git a/website/source/docs/job-specification/template.html.md b/website/source/docs/job-specification/template.html.md index c9924a6f5909..02372379dc45 100644 --- a/website/source/docs/job-specification/template.html.md +++ b/website/source/docs/job-specification/template.html.md @@ -94,14 +94,19 @@ README][ct]. Since Nomad v0.6.0, templates can be read as environment variables. prevent a thundering herd problem where all task instances restart at the same time. -- `vault_grace` `(string: "5m")` - Specifies the grace period between lease - renewal and secret re-acquisition. When renewing a secret, if the remaining - lease is less than or equal to the configured grace, the template will request - a new credential. This prevents Vault from revoking the secret at its - expiration and the task having a stale secret. If the grace is set to a value - that is higher than your default TTL or max TTL, the template will always read - a new secret. If the task defines several templates, the `vault_grace` will be - set to the lowest value across all the templates. +- `vault_grace` `(string: "5m")` - Specifies the grace period between lease + renewal and secret re-acquisition. When renewing a secret, if the remaining + lease is less than or equal to the configured grace, the template will request + a new credential. This prevents Vault from revoking the secret at its + expiration and the task having a stale secret. + + If the grace is set to a value that is higher than your default TTL or max + TTL, the template will always read a new secret. **If secrets are being + renewed constantly, increase the `vault_grace`.** + + If the task defines several templates, the `vault_grace` will be set to the + lowest value across all the templates. + ## `template` Examples