Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKI renew strategy will cause renew time really close to expiration time #1775

Open
evan361425 opened this issue Jul 3, 2023 · 0 comments
Open

PKI renew strategy will cause renew time really close to expiration time #1775

evan361425 opened this issue Jul 3, 2023 · 0 comments

Comments

@evan361425
Copy link

evan361425 commented Jul 3, 2023
edited

Consul Template version

consul-template -v
consul-template v0.32.0 (a9261315)

Expected behavior

PKI certificate should be reload at least 87% of lifespan in vault_pki#goodfor function.

Actual behavior

If jitter output minus result, it may let the watcher sleep again after first awake. For example:

First we issue a 24hr certificate and start calculate goodfor value, the four variables inside function will be:

lifespan := "24h"
duration := "24h" // since we calculate after issuing it
gooddur := "24h * 0.9" = "21.6h"
mindur := "2.4h"

if we assume jitter output 87% of duration:

gooddur = "24h * 0.87" = "20.88h"

Now the watcher will start sleep for 20.88 hours and after it wake up and start calculate the goodfor again:

lifespan := "24h"
duration := "24h - 20.88h" = "3.12h"
gooddur := "3.12h * 0.9" = "2.808h"
mindur := "2.4h"

this time gooddur is still greater than mindur which causing sleep again!

The third time calculation will cause reloaded time really close to expiration time.

Solution

Calculate midur to 0.87 * lifespace.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@evan361425