Merge pull request #3360 from hashicorp/f-consul-template

Use Vault default grace
2017-10-11 18:11:17 -07:00 · 2017-10-11 18:11:17 -07:00 · b1befc7be0
parent 7ea4493a13 68d1a61e8e
commit b1befc7be0
7 changed files with 54 additions and 30 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -38,6 +38,8 @@ BUG FIXES:
 * driver/docker: Fix docker user specified syslogging [GH-3184]
 * driver/docker: Fix issue where CPU usage statistics were artificially high
   [GH-3229]
+ * client/template: Fix issue in which secrets would be renewed too aggressively
+   [GH-3360]

 ## 0.6.3 (September 11, 2017)

--- a/api/jobs_test.go
+++ b/api/jobs_test.go
@ -396,7 +396,7 @@ func TestJobs_Canonicalize(t *testing.T) {
 										LeftDelim:    helper.StringToPtr("{{"),
 										RightDelim:   helper.StringToPtr("}}"),
 										Envvars:      helper.BoolToPtr(false),
-										VaultGrace:   helper.TimeToPtr(5 * time.Minute),
+										VaultGrace:   helper.TimeToPtr(15 * time.Second),
 									},
 									{
 										SourcePath:   helper.StringToPtr(""),
--- a/api/tasks.go
+++ b/api/tasks.go
@ -485,7 +485,7 @@ func (tmpl *Template) Canonicalize() {
 		tmpl.Envvars = helper.BoolToPtr(false)
 	}
 	if tmpl.VaultGrace == nil {
-		tmpl.VaultGrace = helper.TimeToPtr(5 * time.Minute)
+		tmpl.VaultGrace = helper.TimeToPtr(15 * time.Second)
 	}
 }

--- a/vendor/github.com/hashicorp/consul-template/config/vault.go
+++ b/vendor/github.com/hashicorp/consul-template/config/vault.go
@ -9,9 +9,9 @@ import (

 const (
 	// DefaultVaultGrace is the default grace period before which to read a new
-	// secret from Vault. If a lease is due to expire in 5 minutes, Consul
+	// secret from Vault. If a lease is due to expire in 15 seconds, Consul
 	// Template will read a new secret at that time minus this value.
-	DefaultVaultGrace = 5 * time.Minute
+	DefaultVaultGrace = 15 * time.Second

 	// DefaultVaultRenewToken is the default value for if the Vault token should
 	// be renewed.
--- a/vendor/github.com/hashicorp/consul-template/manager/runner.go
+++ b/vendor/github.com/hashicorp/consul-template/manager/runner.go
@ -42,7 +42,8 @@ type Runner struct {
 	dry, once bool

 	// outStream and errStream are the io.Writer streams where the runner will
-	// write information.
+	// write information. These can be modified by calling SetOutStream and
+        // SetErrStream accordingly.

 	// inStream is the ioReader where the runner will read information.
 	outStream, errStream io.Writer
@ -951,7 +952,13 @@ func (r *Runner) allTemplatesRendered() bool {

 	for _, tmpl := range r.templates {
 		event, rendered := r.renderEvents[tmpl.ID()]
-		if !rendered || !event.DidRender {
+		if !rendered {
+			return false
+		}
+
+		// The template might already exist on disk with the exact contents, but
+		// we still want to count that as "rendered" [GH-1000].
+		if !event.DidRender && !event.WouldRender {
 			return false
 		}
 	}
@ -1062,6 +1069,16 @@ func (r *Runner) deletePid() error {
 	return nil
 }

+// SetOutStream modifies runner output stream. Defaults to stdout.
+func (r *Runner) SetOutStream(out io.Writer) {
+	r.outStream = out
+}
+
+// SetErrStream modifies runner error stream. Defaults to stderr.
+func (r *Runner) SetErrStream(err io.Writer) {
+	r.errStream = err
+}
+
 // spawnChildInput is used as input to spawn a child process.
 type spawnChildInput struct {
 	Stdin        io.Reader
--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@ -709,44 +709,44 @@
 		{
 			"checksumSHA1": "Nu2j1GusM7ZH0uYrGzqr1K7yH7I=",
 			"path": "github.com/hashicorp/consul-template/child",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
-			"checksumSHA1": "lemUzh6uQDMxuvTT/BREYdGcS0U=",
+			"checksumSHA1": "nkbwT6jsnaXDiXrJFjCge9W5ULo=",
 			"path": "github.com/hashicorp/consul-template/config",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
 			"checksumSHA1": "ki5mjKALz3JrAee3mYUNl8pFJnU=",
 			"path": "github.com/hashicorp/consul-template/dependency",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
-			"checksumSHA1": "ZuqKmrZAWgHbWGGt1e9RAMZ4wvs=",
+			"checksumSHA1": "yXXJXYYs/OPVJW2ErBiQVaLxSt0=",
 			"path": "github.com/hashicorp/consul-template/manager",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
 			"checksumSHA1": "YSEUV/9/k85XciRKu0cngxdjZLE=",
 			"path": "github.com/hashicorp/consul-template/signals",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
 			"checksumSHA1": "zSvJlNfZS3fCRlFaZ7r9Q+N17T8=",
 			"path": "github.com/hashicorp/consul-template/template",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
 			"checksumSHA1": "b4+Y+02pY2Y5620F9ALzKg8Zmdw=",
 			"path": "github.com/hashicorp/consul-template/watch",
-			"revision": "2ad07927ef7f87f3e513becb58b3fe6d2c3cbb7d",
-			"revisionTime": "2017-09-01T21:49:09Z"
+			"revision": "16b6f8c417d88c88e9b88af6235da2582397c709",
+			"revisionTime": "2017-10-03T21:31:50Z"
 		},
 		{
 			"checksumSHA1": "jfELEMRhiTcppZmRH+ZwtkVS5Uw=",
--- a/website/source/docs/job-specification/template.html.md
+++ b/website/source/docs/job-specification/template.html.md
@ -94,14 +94,19 @@ README][ct]. Since Nomad v0.6.0, templates can be read as environment variables.
  prevent a thundering herd problem where all task instances restart at the same
  time.

- `vault_grace` `(string: "5m")` - Specifies the grace period between lease
-  renewal and secret re-acquisition. When renewing a secret, if the remaining
-  lease is less than or equal to the configured grace, the template will request
-  a new credential. This prevents Vault from revoking the secret at its
-  expiration and the task having a stale secret. If the grace is set to a value
-  that is higher than your default TTL or max TTL, the template will always read
-  a new secret. If the task defines several templates, the `vault_grace` will be
-  set to the lowest value across all the templates.
+-   `vault_grace` `(string: "5m")` - Specifies the grace period between lease
+    renewal and secret re-acquisition. When renewing a secret, if the remaining
+    lease is less than or equal to the configured grace, the template will request
+    a new credential. This prevents Vault from revoking the secret at its
+    expiration and the task having a stale secret.
+    
+    If the grace is set to a value that is higher than your default TTL or max
+    TTL, the template will always read a new secret. **If secrets are being
+    renewed constantly, increase the `vault_grace`.**
+    
+    If the task defines several templates, the `vault_grace` will be set to the
+    lowest value across all the templates.
+

 ## `template` Examples