LIfetime Watcher Ignores "increment" when computing grace period. #14638
Labels
Comments
|
Thanks for raising this! This seems like a bug. We'll queue it for investigation. |
|
Hi @vlaurenzano, Thank you very much for opening this issue! I was able to successfully reproduce it and have a fix ready in #14836 based on your suggestions! I will run it by a few more people who are more familiar with the code and the "increment" behavior before merging. Thank you again for contributing to HashiCorp! |
This was referenced Apr 6, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
A clear and concise description of what the bug is.
In lifetime_watcher the grace period is calculated with the secret's lease duration, not the given "increment" value.
vault/api/lifetime_watcher.go
Line 260 in da0155b
This means that for long lived leases, a client cannot submit it's own increment value that is less than the leases grace period without triggering and immediate return (without sleeping).
vault/api/lifetime_watcher.go
Line 364 in da0155b
In my case, the initial lease duration is 12 hours, but I’m trying to check the secrete every 10 minutes (in case of a revocation). The grace period for 12 hours ends up being something near 2 hours which is greater than my increment value, forcing the return before the time.After call.
Expected behavior
Grace period should be calculated using the minimum value of the lease duration and the client increment value.
Additional context
Add any other context about the problem here.
Discussion forum: https://discuss.hashicorp.com/t/vault-sdk-lifetime-watcher-client-increment-and-secret-lease-duration/36850
If there is agreement from a maintainer I'm willing to make the update.
The text was updated successfully, but these errors were encountered: