Harden Vault DB connector: retry logic, lease renewal, safe DSN templating

[haasonsaas]

Summary

The Vault DB connector handles the happy path but lacks resilience for production Vault interactions.

Current state

• internal/connectors/vaultdb/connector.go — validates _ro suffix, fetches creds, renders DSN, revokes leases
• internal/connectors/vaultdb/client.go — HTTP client for Vault API
• No retry logic if Vault is temporarily unavailable during revocation
• DSN template uses strings.Replace — potential injection if template or credentials contain unexpected characters
• No lease auto-renewal for long-running operations
• Role suffix validation is hardcoded

Required work

• Retry with backoff: if lease revocation fails (Vault down, network error), retry with exponential backoff — don't silently lose the lease
• Safe DSN templating: use url.QueryEscape for credential values in DSN templates, or switch to a structured DSN builder to prevent injection
• Validate DSN template at startup: ensure the template contains {{username}} and {{password}} placeholders before accepting it
• Lease renewal: for grants with TTLs longer than the Vault lease, implement periodic lease renewal
• Configurable role validation: make the _ro suffix check configurable rather than hardcoded — some deployments may have different naming conventions
• Track lease state: persist lease IDs and their expiry in the grant metadata so the cleanup worker can revoke orphaned leases

Files

• internal/connectors/vaultdb/connector.go — retry, renewal, DSN safety
• internal/connectors/vaultdb/client.go — retry wrapper
• internal/bootstrap/service.go — configurable role validation

Priority

Medium.

🤖 Generated with Claude Code

[haasonsaas]

Taking this now. I’m hardening the Vault DB connector around DSN safety, configurable role validation, retryable lease cleanup, and lease extension handling in a fresh branch off current main.

[haasonsaas]

Draft PR is up: #65. It validates Vault DB DSN templates at startup, makes allowed role suffixes configurable, URL-escapes rendered credentials, retries transient revoke/renew failures, renews renewable leases when a grant outlives the initial Vault lease, and records lease_expires_at in artifact metadata. Local validation passed with targeted connector/bootstrap tests, race coverage, full go test ./..., lint, and scoped gosec.