diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ec48926..e4f304e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -34,11 +34,11 @@ jobs: strategy: matrix: - vaultVer: [ "latest", "1.12.6" ] + vaultVer: [ "latest", "1.14", "1.13", "1.12" ] services: vault: - image: vault:${{ matrix.vaultVer }} + image: docker.io/hashicorp/vault:${{ matrix.vaultVer }} ports: - 8200:8200 options: >- diff --git a/controllers/vaultsecret_controller.go b/controllers/vaultsecret_controller.go index 6e2ad62..3650140 100644 --- a/controllers/vaultsecret_controller.go +++ b/controllers/vaultsecret_controller.go @@ -225,7 +225,8 @@ func (r *VaultSecretReconciler) getAuthServiceAccount(vaultSecret k8skiwicomv1.V if err := vaultClient.SetAddress(vaultSecret.Spec.Addr); err != nil { return nil, fmt.Errorf("vault set address: %w", err) } - saAccount = vault.NewAuthServiceAccount(vaultClient, r.K8ClientSet, saRef.Name, vaultSecret.Namespace, saRef.Role, saRef.AuthPath, false) + saAccount = vault.NewAuthServiceAccount(vaultClient, r.K8ClientSet, saRef.Name, vaultSecret.Namespace, saRef.Role, + saRef.AuthPath, false, r.VaultConfig.RefreshTokenBefore) r.saCacheMx.Lock() defer r.saCacheMx.Unlock() r.authSACache[id] = saAccount diff --git a/pkg/vault/auth.go b/pkg/vault/auth.go index 0a9cd55..4ffa738 100644 --- a/pkg/vault/auth.go +++ b/pkg/vault/auth.go @@ -30,28 +30,30 @@ func (a AuthToken) Token() (string, error) { } type AuthServiceAccount struct { - name string - namespace string - role string - path string - vaultClient *vaultApi.Client - autoMount bool - k8ClientSet *kubernetes.Clientset - cacheMx sync.RWMutex - cachedVaultToken string - vaultTokenExpire time.Time + name string + namespace string + role string + refreshTokenBefore time.Duration + path string + vaultClient *vaultApi.Client + autoMount bool + k8ClientSet *kubernetes.Clientset + cacheMx sync.RWMutex + cachedVaultToken string + vaultTokenExpire time.Time } func NewAuthServiceAccount(vaultClient *vaultApi.Client, k8ClientSet *kubernetes.Clientset, - name, namespace, role, path string, automount bool) *AuthServiceAccount { + name, namespace, role, path string, automount bool, refreshTokenBefore time.Duration) *AuthServiceAccount { return &AuthServiceAccount{ - name: name, - namespace: namespace, - role: role, - path: path, - vaultClient: vaultClient, - autoMount: automount, - k8ClientSet: k8ClientSet, + name: name, + namespace: namespace, + role: role, + path: path, + vaultClient: vaultClient, + autoMount: automount, + k8ClientSet: k8ClientSet, + refreshTokenBefore: refreshTokenBefore, } } func (a *AuthServiceAccount) cachedToken() string { @@ -62,7 +64,7 @@ func (a *AuthServiceAccount) cachedToken() string { func (a *AuthServiceAccount) Token() (string, error) { vaultToken := a.cachedToken() - if vaultToken != "" && time.Now().Add(30*time.Second).Before(a.vaultTokenExpire) { + if vaultToken != "" && time.Now().Add(a.refreshTokenBefore).Before(a.vaultTokenExpire) { return vaultToken, nil } diff --git a/pkg/vault/config.go b/pkg/vault/config.go index a35724d..6c7ef36 100644 --- a/pkg/vault/config.go +++ b/pkg/vault/config.go @@ -25,6 +25,7 @@ type AppConfig struct { Role string `koanf:"role"` DefaultVaultAddr string `koanf:"vault_addr"` MaxConcurrentReconciles int `koanf:"max_concurrent_reconciles"` + RefreshTokenBefore time.Duration `koanf:"refresh_token_before"` } func NewAppConfig() (AppConfig, error) { @@ -37,6 +38,7 @@ func NewAppConfig() (AppConfig, error) { "operator_role": "vault-operator", "vault_addr": "http://127.0.0.1:8200", "max_concurrent_reconciles": 5, + "refresh_token_before": time.Minute * 2, }, "."), nil) if err != nil { return cfg, fmt.Errorf("default setting load: %w", err)