Skip to content
This repository was archived by the owner on Apr 6, 2026. It is now read-only.

CERTS-176 - Provide a way to fetch a new OpenBao secret when the old one expires#198

Merged
dborovcanin merged 6 commits into
absmach:mainfrom
nyagamunene:CERT-176
Jan 19, 2026
Merged

CERTS-176 - Provide a way to fetch a new OpenBao secret when the old one expires#198
dborovcanin merged 6 commits into
absmach:mainfrom
nyagamunene:CERT-176

Conversation

@nyagamunene

Copy link
Copy Markdown
Contributor

What type of PR is this?

What does this do?

Which issue(s) does this PR fix/relate to?

Have you included tests for your changes?

Did you document any new/modified features?

Notes

@nyagamunene nyagamunene marked this pull request as ready for review January 14, 2026 17:54
Comment thread docker/.env Outdated
AM_CERTS_DB_SSL_ROOT_CERT=
AM_CERTS_DB_MAX_CONNECTIONS=100
AM_CERTS_HTTP_HOST=certs
AM_CERTS_HTTP_HOST=0.0.0.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

keeping it as certs is fine

SammyOina
SammyOina previously approved these changes Jan 15, 2026
Comment thread cmd/certs/main.go Outdated
OpenBaoServiceToken string `env:"AM_CERTS_SERVICE_TOKEN" envDefault:""`
ServiceTokenPath string `env:"AM_CERTS_SERVICE_TOKEN_PATH" envDefault:""`
SecretIDPath string `env:"AM_CERTS_SECRET_ID_PATH" envDefault:""`
SecretRefreshBuffer string `env:"AM_CERTS_SECRET_REFRESH_BUFFER" envDefault:"24h"`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Buffer is an inconvenient name for something that represents duration.

Comment thread pki/openbao.go Outdated
secret *api.Secret
logger *slog.Logger
serviceToken string
refreshBuffer time.Duration

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same, use refreshBufferTTL.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dborovcanin What about renewThreshold since it is not TTL

Comment thread pki/openbao.go Outdated
continue
}

timeUntilExpiry := time.Until(createdAt.Add(ttl))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extract createdAt.Add(ttl) to a var; it it's potentially used later in logging.

Comment thread pki/openbao.go Outdated
timeUntilExpiry := time.Until(createdAt.Add(ttl))

if timeUntilExpiry <= agent.refreshBuffer {
agent.logger.Warn("Secret ID approaching expiration", "time_until_expiry", timeUntilExpiry, "refresh_buffer", agent.refreshBuffer, "expiry_time", createdAt.Add(ttl))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Secret ID approaching expiration and will be renewed" or something like this - it's more informative that renewal starts immediately.

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Comment thread cmd/certs/main.go Outdated
Comment on lines 67 to 79
OpenBaoHost string `env:"AM_CERTS_OPENBAO_HOST" envDefault:"http://localhost:8200"`
OpenBaoAppRole string `env:"AM_CERTS_OPENBAO_APP_ROLE" envDefault:""`
OpenBaoAppSecret string `env:"AM_CERTS_OPENBAO_APP_SECRET" envDefault:""`
OpenBaoNamespace string `env:"AM_CERTS_OPENBAO_NAMESPACE" envDefault:""`
OpenBaoPKIPath string `env:"AM_CERTS_OPENBAO_PKI_PATH" envDefault:"pki"`
OpenBaoRole string `env:"AM_CERTS_OPENBAO_ROLE" envDefault:"certs"`
OpenBaoServiceToken string `env:"AM_CERTS_SERVICE_TOKEN" envDefault:""`
ServiceTokenPath string `env:"AM_CERTS_SERVICE_TOKEN_PATH" envDefault:""`
SecretIDPath string `env:"AM_CERTS_SECRET_ID_PATH" envDefault:""`
SecretRenewThreshold string `env:"AM_CERTS_SECRET_RENEW_THRESHOLD" envDefault:"24h"`
SecretIDTTL string `env:"AM_CERTS_OPENBAO_SECRET_ID_TTL" envDefault:"72h"`
SecretCheckInterval string `env:"AM_CERTS_SECRET_CHECK_INTERVAL" envDefault:"30s"`
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

spacing between env and envDefault is not same.

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
@dborovcanin dborovcanin merged commit 4058292 into absmach:main Jan 19, 2026
3 checks passed
nyagamunene added a commit to nyagamunene/certs that referenced this pull request Mar 12, 2026
…one expires (absmach#198)

* initial commit

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix failing linter

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* address comments

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* address comments

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix failing linter

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix spacing

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

---------

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants