Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Vault default grace #3360

Merged
merged 5 commits into from
Oct 12, 2017
Merged

Use Vault default grace #3360

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
61bcfff
Change vault_grace default to match vaults
dadgar Oct 12, 2017
412f475
vendor consul-template
dadgar Oct 12, 2017
232b4a2
changelog
dadgar Oct 12, 2017
040c35f
documentation
dadgar Oct 12, 2017
5fdadc9
fix test
dadgar Oct 12, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ BUG FIXES:
* driver/docker: Fix docker user specified syslogging [GH-3184]
* driver/docker: Fix issue where CPU usage statistics were artificially high
[GH-3229]
* client/template: Fix issue in which secrets would be renewed too aggressively
[GH-3360]

## 0.6.3 (September 11, 2017)

Expand Down
2 changes: 1 addition & 1 deletion api/jobs_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -396,7 +396,7 @@ func TestJobs_Canonicalize(t *testing.T) {
LeftDelim: helper.StringToPtr("{{"),
RightDelim: helper.StringToPtr("}}"),
Envvars: helper.BoolToPtr(false),
VaultGrace: helper.TimeToPtr(5 * time.Minute),
VaultGrace: helper.TimeToPtr(15 * time.Second),
},
{
SourcePath: helper.StringToPtr(""),
Expand Down
2 changes: 1 addition & 1 deletion api/tasks.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -485,7 +485,7 @@ func (tmpl *Template) Canonicalize() {
tmpl.Envvars = helper.BoolToPtr(false)
}
if tmpl.VaultGrace == nil {
tmpl.VaultGrace = helper.TimeToPtr(5 * time.Minute)
tmpl.VaultGrace = helper.TimeToPtr(15 * time.Second)
}
}

Expand Down
4 changes: 2 additions & 2 deletions vendor/github.com/hashicorp/consul-template/config/vault.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

21 changes: 19 additions & 2 deletions vendor/github.com/hashicorp/consul-template/manager/runner.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

32 changes: 16 additions & 16 deletions vendor/vendor.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -709,44 +709,44 @@
{
"checksumSHA1": "Nu2j1GusM7ZH0uYrGzqr1K7yH7I=",
"path": "github.com/hashicorp/consul-template/child",
"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
"revisionTime": "2017-09-01T21:49:09Z"
"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
"revisionTime": "2017-10-03T21:31:50Z"
},
{
"checksumSHA1": "lemUzh6uQDMxuvTT/BREYdGcS0U=",
"checksumSHA1": "nkbwT6jsnaXDiXrJFjCge9W5ULo=",
"path": "github.com/hashicorp/consul-template/config",
"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
"revisionTime": "2017-09-01T21:49:09Z"
"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
"revisionTime": "2017-10-03T21:31:50Z"
},
{
"checksumSHA1": "ki5mjKALz3JrAee3mYUNl8pFJnU=",
"path": "github.com/hashicorp/consul-template/dependency",
"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
"revisionTime": "2017-09-01T21:49:09Z"
"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
"revisionTime": "2017-10-03T21:31:50Z"
},
{
"checksumSHA1": "ZuqKmrZAWgHbWGGt1e9RAMZ4wvs=",
"checksumSHA1": "yXXJXYYs/OPVJW2ErBiQVaLxSt0=",
"path": "github.com/hashicorp/consul-template/manager",
"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
"revisionTime": "2017-09-01T21:49:09Z"
"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
"revisionTime": "2017-10-03T21:31:50Z"
},
{
"checksumSHA1": "YSEUV/9/k85XciRKu0cngxdjZLE=",
"path": "github.com/hashicorp/consul-template/signals",
"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
"revisionTime": "2017-09-01T21:49:09Z"
"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
"revisionTime": "2017-10-03T21:31:50Z"
},
{
"checksumSHA1": "zSvJlNfZS3fCRlFaZ7r9Q+N17T8=",
"path": "github.com/hashicorp/consul-template/template",
"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
"revisionTime": "2017-09-01T21:49:09Z"
"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
"revisionTime": "2017-10-03T21:31:50Z"
},
{
"checksumSHA1": "b4+Y+02pY2Y5620F9ALzKg8Zmdw=",
"path": "github.com/hashicorp/consul-template/watch",
"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
"revisionTime": "2017-09-01T21:49:09Z"
"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
"revisionTime": "2017-10-03T21:31:50Z"
},
{
"checksumSHA1": "jfELEMRhiTcppZmRH+ZwtkVS5Uw=",
Expand Down
21 changes: 13 additions & 8 deletions website/source/docs/job-specification/template.html.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,14 +94,19 @@ README][ct]. Since Nomad v0.6.0, templates can be read as environment variables.
prevent a thundering herd problem where all task instances restart at the same
time.

- `vault_grace` `(string: "5m")` - Specifies the grace period between lease
renewal and secret re-acquisition. When renewing a secret, if the remaining
lease is less than or equal to the configured grace, the template will request
a new credential. This prevents Vault from revoking the secret at its
expiration and the task having a stale secret. If the grace is set to a value
that is higher than your default TTL or max TTL, the template will always read
a new secret. If the task defines several templates, the `vault_grace` will be
set to the lowest value across all the templates.
- `vault_grace` `(string: "5m")` - Specifies the grace period between lease
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't it 15m now?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch

renewal and secret re-acquisition. When renewing a secret, if the remaining
lease is less than or equal to the configured grace, the template will request
a new credential. This prevents Vault from revoking the secret at its
expiration and the task having a stale secret.

If the grace is set to a value that is higher than your default TTL or max
TTL, the template will always read a new secret. **If secrets are being
renewed constantly, increase the `vault_grace`.**

If the task defines several templates, the `vault_grace` will be set to the
lowest value across all the templates.


## `template` Examples

Expand Down