search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
30.77k stars 4.16k forks source link

Make grace period of lease configurable #13278

Open evan361425 opened 2 years ago

evan361425 commented 2 years ago

Is your feature request related to a problem? Please describe. When I using consul_template to generate certificate from Vault PKI, I want to know explicit renew period. But in Vault, it is hard code inside calcuateGrace function.

Describe the solution you'd like Set up grace period by configuration. Ratio or specific grace period(with some jitter internally) in PKI issue API (or globally).

Describe alternatives you've considered Predict the period or using cron job.

Explain any additional use-cases Maybe renewable credentials of Database.

Additional context It might be useless when dealing with short period.

kitography commented 1 year ago

Could you give a bit of background as to why you'd like to set the explicit renew period? So long as leases are managed correctly, why (and where) does it matter how they are managed?

evan361425 commented 1 year ago

Hi @kitography When using consul-template to generate certificates from Vault PKI, it will be good to make sure every certificate is generated at night to minimize the effect of reloading applications. Especially for Vault Agent which has no signal (e.g. SIGHUP) to hot reload client's certificate.