search

UKHomeOffice / vault-sidekick

Vault sidekick
Apache License 2.0
195 stars 62 forks source link

max_ttl for a dynamic secret is not checked by sidekick when renewing a secret #90

Open primeroz opened 5 years ago

primeroz commented 5 years ago

I have Google Secret backend configured as : 

TTL: 60m
MAX_TTL: 120m

and vault-sidekick configured to 

-cn=secret:gcp/key/key:file=terraform.json,fmt=json,renew=true

Sidekick will correctly fetch the secret and set a renewal : 

vault-sidekick    | I0612 10:12:42.837163       1 vault.go:165] successfully retrieved resource: type: secret, path: gcp/key/tf_key, leaseID: gcp/key/key/VKf1PEXgGfEC1c6jCuopYGUS
vault-sidekick    | I0612 10:12:42.837364       1 watched_resource.go:67] setting a renewal notification on resource: type: secret, path: gcp/key/key, time: 55m12s

I would expect sidekick to notice that and create a new secret at the max_ttl expire the first renewal works as expected , the second one though will set a threshold of roughly 55 minutes while the actual TTL for the renewed lease is just 5m left since the MAX_TTL was set to 2h

vault-sidekick    | I0612 12:00:00.108548       1 vault.go:327] renewed resource: type: secret, path: gcp/key/tf_key, leaseId: gcp/key/tf_key/VKf1PEXgGfEC1c6jCuopYGUS, lease_time: gcp/key/tf_key/VKf1PEXgGfEC1c6jCuopYGUS, expiration: 2019-06-12 12:00:00.108526313 +0000 UTC m=+6439.245801531
vault-sidekick    | I0612 12:00:00.108631       1 vault.go:235] successfully renewed resource: type: secret, path: gcp/key/key, leaseID: gcp/key/key/VKf1PEXgGfEC1c6jCuopYGUS
vault-sidekick    | I0612 12:00:00.108689       1 main.go:83] recieved an update from the resource: type: secret, path: gcp/key/key
vault-sidekick    | I0612 12:00:00.108751       1 watched_resource.go:67] setting a renewal notification on resource: type: secret, path: gcp/key/key, time: 54m0s
vault write sys/leases/lookup lease_id="gcp/key/key/VKf1PEXgGfEC1c6jCuopYGUS"
Key             Value
---             -----
expire_time     2019-06-12T12:12:42.93018124Z
id              gcp/key/key/VKf1PEXgGfEC1c6jCuopYGUS
issue_time      2019-06-12T10:12:42.46863101Z
last_renewal    2019-06-12T11:59:59.93018138Z
renewable       true
ttl             4m33s