Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi all ,
Use case
In general , teams don't use vault root token to access vault from this application (In their PROD env) . If those tokens are made renewable , we can periodically renew those tokens from vault client . So once those tokens are set and this application has been deployed , there wont be any downtime due to vault auth token expiration .
Our scenario
We have deployed this in our PROD env where it access PROD vault with a token ( max life time can be set to 32 days ) . So once that token expires , we need to create another token from vault and re-deploy this app with the new token . This creates some downtime for the application .
In this PR
There is already an api in vault client (NewLifeTimeWatcher ) which renews the secrets passed to it . I used code from this function to call NewLifeTimeWatcher in a separate goroutine to renew vault auth token .
We can create renewable vault token with max_ttl_time 0s (no max_ttl ) and 32 days as expiration time by the following commands -
And then set it as VAULT_TOKEN env in docker image/container and deploy the app . This token is being used to access VAULT and when it nears its expiration time , it gets renewed by NewLifeTimeWatcher goroutine .
Outputs
Configuration used for this output -
Issue
In case of root token which is being used in DEV mode , root tokens are not renewable so the output shows an error on its renewal for once .
Hope you people like this PR . I am open for any feedback .