New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Renewal check for vault-pki certificates fails, renewing constantly #1272
Comments
Hey @sfudeus, thanks for the report. Seems test coverage wasn't as good as I thought as this is the second recent regression that doesn't seem to have test coverage. As I want to get CT stable before adding new features, I'll be getting right to this. |
Did you change that template at all between 0.21.0 and 0.21.2? One of the fixes in 0.21.1 was fixing uses of vault/secret write, where you use have..
Before that fix version 1 of vault I created the |
I was reading some about the pki secrets engine and noticed is supported |
Ok. I followed the docs and created a mix of the version you gave with the version in the docs (trying to use your code as much as possible w/ the documented paths)... and I got it to work. I think I may even have replicated the issue. I need to try it on the 0.21.0 version to make sure (which I'll do tomorrow... getting late). |
Hi @eikenb, thanks for diving into this. The template was not changed between 0.21.0 and 0.21.2. In fact it wasn't changed since 0.19.something, changing the behavior already regarding the point in time when renewal occurs, but now better aligned with the definition from #1267. The vault pki is created via |
Using 0.21.0 I seem to have somewhat replicated the old behavior except that instead of sleeping for 5 hours it sleeps for 4.5 minutes. The code tells me that this means that vault didn't return a specified lease duration, so it went with a default. The fact that it was 4.5 minutes also tells me that it doesn't think the secret is renewable (non-renewable secrets are refreshed after 85% of the lease or default). But you indicate in your initial post that these should be renewable. These 2 things seem to indicate I don't have vault setup quite right yet. I'm running vault in dev mode (
Those paths were taken from the docs, I changed your template to use those paths...
If you see anything there that doesn't look right, please let me know. Aside from all that, I still think I'll be able to figure out the issue as that is related to how long it will sleep and not whether is sleeps at all or not (which is the problem) nor whether it is renewable. |
Oh.. and i set the env-vars to...
[edit: looked at template again and saw HOSTNAME was not supposed to be the FQDN] |
It might well be that I observed the (roughly) 5h timeframe for a certificate which is issued with a ttl of 72h. Template for a certificate differs here:
We do issue a bunch of certs, keys and ca-certs via consul-template. Question: Edit: |
I think I've got it... it looks like an issue with sleeping that was missed in the tests due to the low values sleeps are set to during testing. I need to add some tests then will push up a PR. |
Over-zealous refactoring resulted in <-time.After() channel used for non-renewable sleep to basically be ignored. Originally had channel of the time channels but I "simplified" it when I shouldn't have. Bascially undo that refactor by switching the way the sleep is passed to the next iteraction from a `<-chan time.Time` to a `chan (<-chan time.time)`. This way it can see it has a sleep to do, then do it instead of skipping it as the time hadn't passed yet. This also let me write a test for it as I don't need to actually sleep to see that there is something in the channel. Fixes #1272
An over-zealous refactoring resulted in <-time.After() channel used for non-renewable sleep to be ignored. I originally had channel of the time channels but "simplified" it when I shouldn't have. This undoes that refactor by switching the way the sleep is passed to the next iteration from a `<-chan time.Time` to a `chan (<-chan time.time)`. This way it can see it has a sleep to do, then do it instead of skipping it as the time hadn't passed yet. This also let me write a test for it as I don't need to actually sleep to see that there is something in the channel. Fixes #1272
Just pushed up #1277 that should fix this issue. Once I have it reviewed I'll merge it and make the 0.21.3 release. |
An over-zealous refactoring resulted in <-time.After() channel used for non-renewable sleep to be ignored. I originally had channel of the time channels but "simplified" it too much. This reworks it the way the sleep is passed to the next iteration to just pass the time.Duration of the sleep down the channel, then time.Sleep-ing when reading off the channel. This way it can see it has a sleep to do, then do it instead of skipping it as the time hadn't passed yet. This also let me write a test for it as I don't need to actually sleep to see that there is something in the channel. Fixes #1272
Looks good on first glance - thanks for the fast fix! |
Consul Template version
consul-template v0.21.2 (3957cdf)
Configuration
Debug output
https://gist.github.com/sfudeus/397bfd48758355c3b952ecebfdf3a2c6
Expected behavior
Our cert ttl is 8h. With consul-template 0.21.0, renewal occurred with around 5h certificate lifetime left. With 0.21.2 certificates are renewed continuously (i.e. approx. all 17s in this test setup.
Certs should have been fetched and renewed when 1/6 to 1/3 of their TTL is left (see #1267)
Actual behavior
Certificates are updated continuously.
Steps to reproduce
References
Are there any other GitHub issues (open or closed) that should
be linked here? For example:
secret
renew documentation #1267The text was updated successfully, but these errors were encountered: