-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault CSI provider not making use of received token TTL #150
Comments
We are experiencing the same issue with a high number of new leases created due to the Vault CSI provider and would appreciate having this issue prioritized. Reducing the default TTL to 30 minutes has helped, but until this is addressed, we will not recommend the Vault CSI provider for further use. |
Thanks for opening this with lots of details. It's still a work in progress, but I'd like to combine #163 and hashicorp/vault-helm#749 to address a lot of the pain points. i.e. the CSI Provider's login logic will stay largely the same, but Vault Agent will be a caching intermediary between the CSI provider and Vault. |
I have the same issue, running 1.2.0 Seems every 2 minutes the password gets rotated and there is s huge number of leases. |
same issue for us |
If anything, my current workaround is to use vault-secrets-operator. |
Thanks for the reports and +1s all. #202 will cache Vault client tokens in-memory, which should fix this when combined with the Vault Agent sidecar that hashicorp/vault-helm#749 added for lease caching and renewals. |
This problem is connected to secrets auto-rotation but not only - this only makes it visible.
When enabled this makes CSI provider ask Vault about secrets every 2 minutes (by default - can be changed with rotation-poll-interval parameter) to keep secrets in k8s in sync with the vault - pretty obvious.
Problem is that vault CSI provider is not respecting token TTL (which in standard config promoted by docs is 768h - 32 days) and religion every 2 minutes which can be seen on Nginx ingress logs:
This results in a huge number of lease objects created in the vault - which are also kept in memory I believe.
auth method configuration:
Expected behaviour:
TTL should be respected and CSI driver should not login every
rotation-poll-interval
- received tokens should be probably cached and reused.Tested on 0.4.0 and on 1.0.0 - same behaviour
This issue is a result of a discussion from here
I will create a separate issue for the second topic - per pod secret sync.
The text was updated successfully, but these errors were encountered: