Work around Vault DB static creds TTL rollover bug #730
Conversation
benashz
force-pushed
the
VAULT-26529/vds-work-around-scheduled-static-creds-ttl-rollover
branch
from
498d725
to
0115e07
Compare
When syncing database static credentials role configured with scheduled rotation, the TTL is incorrectly rolled over within the same rotation period. Since, VSO relies on the TTL for its sync scheduling, an invalid TTL results in syncing stale credentials. This fix, attempts to detect the TTL rollover bug, and ensure that current rotated creds are properly synced.
benashz
force-pushed
the
VAULT-26529/vds-work-around-scheduled-static-creds-ttl-rollover
branch
from
0115e07
to
5d6bb40
Compare
…-creds-ttl-rollover
controllers/registry_test.go
Outdated
| @@ -348,6 +348,7 @@ func Test_resourceReferenceCache(t *testing.T) { | |||
| } | |||
|
|
|||
| func TestSyncRegistry(t *testing.T) { | |||
| t.Skip() | |||
There was a problem hiding this comment.
Suggest mentioning why this is now skipped
| // considered to be reliable to the TTL roll-over bug that might exist in the database | ||
| // secrets engine. |
There was a problem hiding this comment.
Is this bug going to be fixed on the Vault side? i.e. wondering if we need to support a buggy Vault version if it's going to be fixed in the next patch release of Vault?
There was a problem hiding this comment.
Yeah that is a great question. We will be fixing the issue in Vault, just no ETA yet. I think it's okay to provide a best effort workaround for those users affected, especially since this workaround is to address a support escalation.
| } | ||
|
|
||
| if v, ok := data["rotation_schedule"]; ok && v != nil { | ||
| if schedule, ok := v.(string); ok && v != nil { |
There was a problem hiding this comment.
I think v != nil is already known from the previous if?
There was a problem hiding this comment.
Updated in 145b47a
| ) | ||
|
|
||
| bo := backoff.NewExponentialBackOff( | ||
| // typically the rotation period is 5s, so it should be safe to double that. |
There was a problem hiding this comment.
I think 5s is the minimum rotation_period? Not necessarily typical?
There was a problem hiding this comment.
Updated in 145b47a
benashz
force-pushed
the
VAULT-26529/vds-work-around-scheduled-static-creds-ttl-rollover
branch
from
fa31cba
to
145b47a
Compare
…-creds-ttl-rollover
When syncing database static credentials role configured with scheduled rotation, the TTL is incorrectly rolled over within the same rotation period. Since, VSO relies on the TTL for its sync scheduling, an invalid TTL results in syncing stale credentials.
This fix, attempts to detect the TTL rollover bug, and ensure that current rotated creds are properly synced.