Skip to content

Mark expired Vault token as expired when Vault is unreachable #6235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Mark expired Vault token as expired when Vault is unreachable #6235

wants to merge 15 commits into from

Conversation

@bosorawis
Copy link
Collaborator

@bosorawis bosorawis commented Nov 10, 2025

Description

Vault credential stores have an internal job that periodically renews Vault tokens. If the renewal call returns a 403 error, the system assumes the token is no longer valid and marks it as expired.

When Vault is unreachable, the system logs an error and continues trying to renew the token past its expiration time since Vault never returns a 403 error. This change checks if the token has already expired; if so, it will mark the token as expired even when communication with Vault returns an error.

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.
  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
  • If applicable, I've documented the impact of any changes to security controls.
    Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

@bosorawis bosorawis requested a review from a team as a code owner November 10, 2025 09:00
@github-actions github-actions bot added the core label Nov 10, 2025
irenarindos
irenarindos reviewed Nov 10, 2025
View reviewed changes
louisruch
louisruch requested changes Nov 10, 2025
View reviewed changes
Copy link
Collaborator

@louisruch louisruch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will not work as you expect, the clientStore created from the renewRevokeStore does not retrieve or set the ExpirationTime - this change will therefore just expire all tokens on any error returned from Vault. We would need to update the store .token() method and update the query to return the expiration time for this to work.

We may also want to consider an alternative path here where the query we run filters out tokens that are past their expiration time - though we would still want to update these tokens to have an expired status somewhere.

louisruch
louisruch requested changes Nov 11, 2025
View reviewed changes
Copy link
Collaborator

@louisruch louisruch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might wanna sync up with @laero or @bgajjala8 to chat through order or merges though they have some cleanup to do on the LLB already

@louisruch louisruch added this to the 0.20.x milestone Nov 11, 2025
@bosorawis bosorawis requested a review from louisruch November 12, 2025 04:35
irenarindos
irenarindos requested changes Nov 21, 2025
View reviewed changes
internal/credential/vault/testing.go
ldapContainer any
postgresContainer any

stopped bool
Copy link
Collaborator

@irenarindos irenarindos Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use an atomic here?

Copy link
Collaborator

@louisruch louisruch Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

internal/credential/vault/jobs_test.go
// TestTokenRenewalJob_Run_VaultUnreachableTemporarily tests that tokens are not marked
// as expired when Vault is unreachable temporarily.
func TestTokenRenewalJob_Run_VaultUnreachableTemporarily(t *testing.T) {
// t.Parallel() - this was causing test failures, investigate before un-commenting
Copy link
Collaborator

@irenarindos irenarindos Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we just remove these at this point?

internal/credential/vault/private_store_test.go
"github.com/stretchr/testify/require"
)

func Test_token(t *testing.T) {
Copy link
Collaborator

@irenarindos irenarindos Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't used anywhere- should this be removed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@irenarindos irenarindos irenarindos requested changes

@louisruch louisruch Awaiting requested review from louisruch

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

core/db core/sql core

Projects

None yet

Milestone

0.20.x

Development

Successfully merging this pull request may close these issues.

3 participants

@bosorawis @irenarindos @louisruch