I didn’t read the code well enough before running the vault extension. It looks from the code like if you don’t supply VAULT_TOKEN_RENEWAL, it will create a renewer with a duration of 0. I have been ddossing my vault server for a few days, and luckily it hasn’t completely fallen over, but that is not good at all.
Perhaps a sensible default of 5m would make sense for that?
Token renewal is disabled by default if the renewal value is set to 0. The system does not assume renewal is required since some token types do not expire.
oh maybe this is related to the kubernetes integration? The default vault renewal code handles zero values, so the kubernetes renewal code could also have logic to handle zero values if a lack thereof is causing issues:
// Run performs token renewal at scheduled intervals.
func (r *Renewer) Run(ctx context.Context, renew time.Duration) error {
+ if (renew == 0) {
+ renew = time.Hour
+ }
+
for {
select {
case <-ctx.Done():
return ctx.Err()
case <-time.After(renew):
r.Renew(ctx)
}
}
}
EDIT: @bradrydzewski patched the kubernetes refresher to use a default value when the refresh value is a zero value.
Yes we are using kubernetes auth.