feat: automatically renew vault token before expiry

acmevault-config.yaml

@@ -0,0 +1,57 @@
+---
+acmeCustomDnsServers:
+  - 8.8.8.8
+  - 8.8.4.4
+acmeDnsProvider: route53
+
+domains:
+  - domain: nas.ez.soeren.cloud
+    sans:
+      - nas.ha.soeren.cloud
+  - domain: nas.dd.soeren.cloud
+    sans:
+      - nas.ha.soeren.cloud
+      - jelly.ha.soeren.cloud
+  - domain: nas.pt.soeren.cloud
+    sans:
+      - nas.ha.soeren.cloud
+      - jelly.ha.soeren.cloud
+  - domain: dbs.ez.soeren.cloud
+    sans:
+      - minio-2.soeren.cloud
+      - dbs.ha.soeren.cloud
+  - domain: dbs.dd.soeren.cloud
+    sans:
+      - minio-1.soeren.cloud
+      - dbs.ha.soeren.cloud
+  - domain: dbs.pt.soeren.cloud
+    sans:
+      - minio-3.soeren.cloud
+      - dbs.ha.soeren.cloud
+  - domain: hass.dd.soeren.cloud
+  - domain: mqtt.ez.soeren.cloud
+  - domain: mqtt.dd.soeren.cloud
+  - domain: mqtt.pt.soeren.cloud
+  - domain: pim.dd.soeren.cloud
+    sans:
+      - pim-sandbox.soeren.cloud
+  - domain: sauron.ez.soeren.cloud
+  - domain: sauron.dd.soeren.cloud
+  - domain: sauron.pt.soeren.cloud
+  - domain: pool.pt.soeren.cloud
+  - domain: brick.dd.soeren.cloud
+  - domain: pool.ez.soeren.cloud
+    sans:
+      - paperless.ez.soeren.cloud
+      - paperless.soeren.cloud
+
+email: acmevault@soerensoerensen.de
+
+metricsAddr: ""
+
+vault:
+  addr: https://vault.ha.soeren.cloud:443
+  authMethod: implicit
+  pathPrefix: prod
+  k8sRoleId: acmevault
+  k8sMountPath: svc.pt.soeren.cloud

cmd/deps.go

@@ -20,6 +20,8 @@ type deps struct {
 	dnsProvider         challenge.Provider
 	acmeClient          acme.AcmeDealer
 
+	done chan bool
+
 	acmeVault *server.AcmeVault
 }
 
@@ -36,6 +38,13 @@ func buildDeps(conf config.AcmeVaultConfig) *deps {
 	deps.vaultAuth, err = buildVaultAuth(conf.Vault)
 	dieOnError(err, "could not build token auth")
 
+	if conf.Vault.UseAutoRenewAuth() {
+		log.Info().Msg("Building Vault auth auto renew wrapper...")
+		deps.done = make(chan bool)
+		deps.vaultAuth, err = vault.NewAutoRenew(deps.vaultAuth, deps.done)
+		dieOnError(err, "could not build token auth")
+	}
+
 	deps.storage, err = vault.NewVaultBackend(conf.Vault, deps.vaultAuth)
 	dieOnError(err, "could not generate desired backend")
 

cmd/main.go

@@ -106,6 +106,7 @@ func run(conf config.AcmeVaultConfig, deps *deps) {
 			if err := deps.storage.Logout(); err != nil {
 				log.Warn().Err(err).Msg("Logging out failed")
 			}
+			deps.done <- true
 			cancel()
 			ticker.Stop()
 			stop = true

internal/config/vault.go

@@ -59,3 +59,7 @@ func (conf *VaultConfig) Validate() error {
 func (conf *VaultConfig) LoadSecretIdFromFile() bool {
 	return len(conf.SecretIdFile) > 0
 }
+
+func (conf *VaultConfig) UseAutoRenewAuth() bool {
+	return conf.AuthMethod != "token" && conf.AuthMethod != "implicit"
+}

internal/server/server.go

@@ -60,11 +60,6 @@ func New(domains []config.DomainsConfig, acmeClient acme.AcmeDealer, storage Cer
 }
 
 func (c *AcmeVault) CheckCerts(ctx context.Context, wg *sync.WaitGroup) error {
-	err := c.certStorage.Authenticate()
-	if err != nil {
-		return err
-	}
-
 	metrics.ServerLatestIterationTimestamp.SetToCurrentTime()
 	ch := make(chan config.DomainsConfig, len(c.domains))
 	for _, data := range c.domains {
@@ -84,7 +79,8 @@ func (c *AcmeVault) CheckCerts(ctx context.Context, wg *sync.WaitGroup) error {
 	}()
 
 	var errs error
-	for i := 0; i < 3; i++ {
+
+	for i := 0; i < 5; i++ {
 		wg.Add(1)
 		go func() {
 			for domain := range ch {
@@ -105,10 +101,6 @@ func (c *AcmeVault) CheckCerts(ctx context.Context, wg *sync.WaitGroup) error {
 		wg.Done()
 	}
 
-	if err := c.certStorage.Logout(); err != nil {
-		log.Error().Err(err).Msg("logging out of storage failed")
-	}
-
 	return errs
 }
 

pkg/certstorage/vault/vault.go

@@ -181,8 +181,11 @@ func (vault *VaultBackend) ReadAccount(hash string) (*certstorage.AcmeAccount, e
 }
 
 func (vault *VaultBackend) Authenticate() error {
-	secret, err := vault.client.Auth().Login(context.Background(), vault.auth)
-	if err == nil {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	secret, err := vault.client.Auth().Login(ctx, vault.auth)
+	if err == nil && secret.Auth.LeaseDuration != 0 {
 		log.Info().Msgf("Login token valid for %d seconds (until %v)", secret.Auth.LeaseDuration, time.Now().Add(time.Second*time.Duration(secret.Auth.LeaseDuration)))
 	}
 	return err