You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
While 'stress-testing' vault database secrets engine I found that in case database isn't available for like 20 minutes (which is possible in case of planned maintenance / connectivity issues etc), vault gives up and stops trying to revoke creds (after 6 failed attempts):
This means some transient db users will live forever, if I understand correctly (correct me if I'm wrong).
Reason: corresponding parameters are hardcoded.
Describe the solution you'd like
Make maximum revocation attempts configurable (globally? per backend?)
The text was updated successfully, but these errors were encountered:
There really should be an option to let it keep trying, perhaps increasing backoff time to prevent it from overloading, so these get deleted eventually after a database outage. Now we are forced to garbage collect these things with an external process every time this maximum is reached.
Making its value configurable should do it, infinite would then be 0 or -1.
Actually, when I restart Vault after such an incident it attempts to revoke these old expired leases again. So at least that is a way for me to clean them up.
Is your feature request related to a problem? Please describe.
While 'stress-testing' vault database secrets engine I found that in case database isn't available for like 20 minutes (which is possible in case of planned maintenance / connectivity issues etc), vault gives up and stops trying to revoke creds (after 6 failed attempts):
This means some transient db users will live forever, if I understand correctly (correct me if I'm wrong).
Reason: corresponding parameters are hardcoded.
Describe the solution you'd like
The text was updated successfully, but these errors were encountered: