phys/consul: Allow tuning of session ttl and lock wait time (#4352)

* phys/consul: allow tuning of session ttl and lock wait time

* use parseutil

* udpate docs

physical/consul/consul.go

@@ -99,6 +99,9 @@ type ConsulBackend struct {
 
 	notifyActiveCh chan notifyEvent
 	notifySealedCh chan notifyEvent
+
+	sessionTTL   string
+	lockWaitTime time.Duration
 }
 
 // NewConsulBackend constructs a Consul backend using the given API client
@@ -168,7 +171,7 @@ func NewConsulBackend(conf map[string]string, logger log.Logger) (physical.Backe
 	checkTimeout := defaultCheckTimeout
 	checkTimeoutStr, ok := conf["check_timeout"]
 	if ok {
-		d, err := time.ParseDuration(checkTimeoutStr)
+		d, err := parseutil.ParseDurationSecond(checkTimeoutStr)
 		if err != nil {
 			return nil, err
 		}
@@ -184,6 +187,32 @@ func NewConsulBackend(conf map[string]string, logger log.Logger) (physical.Backe
 		}
 	}
 
+	sessionTTL := api.DefaultLockSessionTTL
+	sessionTTLStr, ok := conf["session_ttl"]
+	if ok {
+		_, err := parseutil.ParseDurationSecond(sessionTTLStr)
+		if err != nil {
+			return nil, errwrap.Wrapf("invalid session_ttl: {{err}}", err)
+		}
+		sessionTTL = sessionTTLStr
+		if logger.IsDebug() {
+			logger.Debug("config session_ttl set", "session_ttl", sessionTTL)
+		}
+	}
+
+	lockWaitTime := api.DefaultLockWaitTime
+	lockWaitTimeRaw, ok := conf["lock_wait_time"]
+	if ok {
+		d, err := parseutil.ParseDurationSecond(lockWaitTimeRaw)
+		if err != nil {
+			return nil, errwrap.Wrapf("invalid lock_wait_time: {{err}}", err)
+		}
+		lockWaitTime = d
+		if logger.IsDebug() {
+			logger.Debug("config lock_wait_time set", "lock_wait_time", d)
+		}
+	}
+
 	// Configure the client
 	consulConf := api.DefaultConfig()
 	// Set MaxIdleConnsPerHost to the number of processes used in expiration.Restore
@@ -263,6 +292,8 @@ func NewConsulBackend(conf map[string]string, logger log.Logger) (physical.Backe
 		consistencyMode:     consistencyMode,
 		notifyActiveCh:      make(chan notifyEvent),
 		notifySealedCh:      make(chan notifyEvent),
+		sessionTTL:          sessionTTL,
+		lockWaitTime:        lockWaitTime,
 	}
 	return c, nil
 }
@@ -466,6 +497,8 @@ func (c *ConsulBackend) LockWith(key, value string) (physical.Lock, error) {
 		Value:          []byte(value),
 		SessionName:    "Vault Lock",
 		MonitorRetries: 5,
+		SessionTTL:     c.sessionTTL,
+		LockWaitTime:   c.lockWaitTime,
 	}
 	lock, err := c.client.LockOpts(opts)
 	if err != nil {

website/source/docs/configuration/storage/consul.html.md

@@ -98,6 +98,16 @@ at Consul's service discovery layer.
   permission to read and write from the `path` in Consul's key-value store.
   This is **not** a Vault token. See the ACL section below for help.
 
+- `session_ttl` `(string: "15s")` - Specifies the minimum allowed [session
+  TTL][consul-session-ttl]. Consul server has a lower limit of 10s on the
+  session TTL by default. The value of `session_ttl` here cannot be lesser than
+  10s unless the `session_ttl_min` on the consul server's configuration has a
+  lesser value.
+
+- `lock_wait_time` `(string: "15s")` - Specifies the wait time before a lock
+  lock acquisition is made. This affects the minimum time it takes to cancel a
+  lock acquisition.
+
 The following settings apply when communicating with Consul via an encrypted
 connection. You can read more about encrypting Consul connections on the
 [Consul encryption page][consul-encryption].
@@ -225,3 +235,4 @@ storage "consul" {
 [consul-consistency]: https://www.consul.io/api/index.html#consistency-modes "Consul Consistency Modes"
 [consul-encryption]: https://www.consul.io/docs/agent/encryption.html "Consul Encryption"
 [consul-translate-wan-addrs]: https://www.consul.io/docs/agent/options.html#translate_wan_addrs "Consul Configuration"
+[consul-session-ttl]: https://www.consul.io/docs/agent/options.html#session_ttl_min "Consul Configuration"