Vault grace only takes effect on periodic secrets

srcnix · Sep 1, 2017 · 2ad0792 · 2ad0792
1 parent 7cb63e3
commit 2ad0792
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -257,15 +257,15 @@ vault {
   # of the address is required.
   address = "https://vault.service.consul:8200"
 
-  # This is the grace period between lease renewal and secret re-acquisition.
-  # When renewing a secret, if the remaining lease is less than or equal to the
-  # configured grace, Consul Template will request a new credential. This
-  # prevents Vault from revoking the credential at expiration and Consul
+  # This is the grace period between lease renewal of periodic secrets and secret
+  # re-acquisition. When renewing a secret, if the remaining lease is less than or
+  # equal to the configured grace, Consul Template will request a new credential.
+  # This prevents Vault from revoking the credential at expiration and Consul
   # Template having a stale credential.
   #
   # Note: If you set this to a value that is higher than your default TTL or
   # max TTL, Consul Template will always read a new secret!
-  grace = "15s"
+  grace = "5m"
 
   # This is the token to use when communicating with the Vault server.
   # Like other tools that integrate with Vault, Consul Template makes the

diff --git a/dependency/vault_read.go b/dependency/vault_read.go
@@ -85,10 +85,6 @@ func (d *VaultReadQuery) Fetch(clients *ClientSet, opts *QueryOptions) (interfac
 		} else {
 			// The secret isn't renewable, probably the generic secret backend.
 			dur := vaultRenewDuration(d.secret)
-			if dur > opts.VaultGrace {
-				dur = opts.VaultGrace
-			}
-
 			log.Printf("[TRACE] %s: secret is not renewable, sleeping for %s", d, dur)
 			select {
 			case <-time.After(dur):

diff --git a/dependency/vault_token.go b/dependency/vault_token.go
@@ -79,8 +79,10 @@ func (d *VaultTokenQuery) Fetch(clients *ClientSet, opts *QueryOptions) (interfa
 	}
 
 	// The secret isn't renewable, probably the generic secret backend.
+	// TODO This is incorrect when given a non-renewable template. We should
+	// instead to a lookup self to determine the lease duration.
 	dur := vaultRenewDuration(d.secret)
-	if dur > opts.VaultGrace {
+	if dur < opts.VaultGrace {
 		dur = opts.VaultGrace
 	}
 

diff --git a/dependency/vault_write.go b/dependency/vault_write.go
@@ -92,10 +92,6 @@ func (d *VaultWriteQuery) Fetch(clients *ClientSet, opts *QueryOptions) (interfa
 		} else {
 			// The secret isn't renewable, probably the generic secret backend.
 			dur := vaultRenewDuration(d.secret)
-			if dur > opts.VaultGrace {
-				dur = opts.VaultGrace
-			}
-
 			log.Printf("[TRACE] %s: secret is not renewable, sleeping for %s", d, dur)
 			select {
 			case <-time.After(dur):