Implement background process in go-mod-secrets to extend TTL of secret store tokens

Question

Implement background process in go-mod-secrets to extend TTL of secret store tokens

Closed this issue 5 years ago · 2 comments

🚀 Feature Request

Relevant Package

Affects go-mod-secrets.

Description

Vault tokens have a limited TTL and it is necessary to renew them periodically. Since tokens in Geneva timeframe are currently only generated once at boot, a token that is not renewed will eventually expire.

Describe the solution you'd like

When go-mod-security starts and processes a Vault token, it shall start a goroutine in the background that calls to token refresh API to extend the TTL when less than half of its TTL remains. (/auth/token/renew-self) It should continue this indefinitely.

Please see the following for a background timer example:
https://stackoverflow.com/questions/16466320/is-there-a-way-to-do-repetitive-tasks-at-intervals-in-golang/16466581

The background process should also accept a Context object https://rakyll.org/leakingctx/ that allows for termination of the goroutine associated with the timer to avoid leaking goroutines.

Describe alternatives you've considered

The only tokens that do not expire are Vault root tokens. Pervasive use of root tokens violates the Vault security model.

Answer 1 · 2019-11-20T19:22:47.000Z

@AnthonyMBonafide please label as: enhancement, security-services, geneva

Answer 2 · 2020-02-05T23:28:21.000Z

Closing issue as it has been addressed in PR #45