Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow vault_pki renewal interval to be configured by VaultLeaseRenewalThreshold #1908

Merged
merged 5 commits into from
Apr 26, 2024
Merged

allow vault_pki renewal interval to be configured by VaultLeaseRenewalThreshold #1908

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
081389e
set certificate renewal threshold based on VaultLeaseRenewalThreshold
kevinschoonover Feb 2, 2024
e971ed0
allow vault ttl to be configured by VaultLeaseRenewalThreshold
kevinschoonover Apr 20, 2024
610511f
fix lint
kevinschoonover Apr 24, 2024
e5ff6ee
Update vault_pki.go
kevinschoonover Apr 25, 2024
9fc4507
Change comment
divyaac Apr 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions dependency/vault_pki.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,13 +127,16 @@
lifespanDur := end.Sub(start)
r := rand.New(rand.NewSource(time.Now().UnixNano()))
lifespanMilliseconds := lifespanDur.Milliseconds()
// calculate the 'time the certificate should be rotated' by figuring out
// 87-93% of the lifespan and adding it to the start
rotationTime := start.Add(time.Millisecond * time.Duration(((lifespanMilliseconds*9)/10)+(lifespanMilliseconds*int64(r.Intn(6)-3))/100))
// calculate the 'time the certificate should be rotated' by figuring out -2%
// - 3% + VaultLeaseRenewalThreshold of the lifespan and adding it to the
kevinschoonover marked this conversation as resolved.
Show resolved Hide resolved
// start
rotationTime := start.Add(time.Millisecond * time.Duration(
float64(lifespanMilliseconds)*VaultLeaseRenewalThreshold+float64(lifespanMilliseconds*(int64(r.Intn(6)-3)/100.0)),
))
divyaac marked this conversation as resolved.
Show resolved Hide resolved

// after we have the 'time the certificate should be rotated', figure out how
// far it is from now to sleep
sleepFor := time.Duration(rotationTime.Sub(now))

Check failure on line 139 in dependency/vault_pki.go

View workflow job for this annotation

GitHub Actions / Run linters 

unnecessary conversion (unconvert)
if sleepFor <= 0 {
return 0, false
}
Expand Down
13 changes: 9 additions & 4 deletions dependency/vault_pki_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import (
"crypto/x509"
"crypto/x509/pkix"
"errors"
"fmt"
"os"
"strings"
"testing"
Expand All @@ -20,6 +19,11 @@ import (
"github.com/hashicorp/vault/api"
)

func init() {
VaultDefaultLeaseDuration = 0
VaultLeaseRenewalThreshold = .90
}

func Test_VaultPKI_uniqueID(t *testing.T) {
d1, _ := NewVaultPKIQuery("pki/issue/example-dot-com", "/unique_1", nil)
id1 := d1.String()
Expand Down Expand Up @@ -84,8 +88,7 @@ func Test_VaulkPKI_goodFor(t *testing.T) {

ratio := dur.Seconds() / (NotAfter.Sub(NotBefore).Seconds())
// allow for a .01 epsilon for floating point comparison to prevent flakey tests
if ratio < .86 || ratio > .94 {
fmt.Println(ratio)
if ratio < (VaultLeaseRenewalThreshold-.04) || ratio > (VaultLeaseRenewalThreshold+.04) {
t.Errorf(
"%v: should be between 87 and 93, but was %.2f. NotBefore: %s, NotAfter: %s",
name,
Expand Down Expand Up @@ -242,7 +245,9 @@ func Test_VaultPKI_refetch(t *testing.T) {
// forcefully wait the longest the certificate could be good force to ensure
// goodFor will always return needs renewal
<-d.sleepCh
time.Sleep(time.Millisecond * time.Duration(((ttlDuration.Milliseconds()*9)/10)+(ttlDuration.Milliseconds()*int64(3)/100)))
time.Sleep(time.Millisecond * time.Duration(
float64(ttlDuration.Milliseconds())*VaultLeaseRenewalThreshold+float64(ttlDuration.Milliseconds()*(int64(4)/100.0)),
))
act3, rm, err := d.Fetch(clients, nil)
if err != nil {
t.Fatal(err)
Expand Down
Loading