Use github.com/hashicorp/vault/api.LifetimeWatcher instead of github.com/hashicorp/vault/api.Renewer

[hiyosi]

• Version:
• Platform:
• Subsystem: UpstreamAuthority vault plugin

The LifetimeWatcher is expected to be added to the next release version of the github.com/hashicorp/vault/api.
It will allow the user to select the behavior what happens when a renewal errors.

https://github.com/hashicorp/vault/blob/v1.6.0/api/lifetime_watcher.go

In the current release version(v1.0.4), it is not possible to select the behavior and will always stop to renew the token when some error occurs.
Therefore, it recommend to replace the Renewer to the LifetimeWatcher.
But I'm not sure when the next version will be released.(The latest release was on 26 Jul 2019.)

$ git tag -l |grep "api"                                                                                                                                                       10:30:50
api/v1.0.1
api/v1.0.2
api/v1.0.3
api/v1.0.4

We can also give a commit hash...what do you think?

[evan2645]

Thank you for opening this @hiyosi (as usual :) )

I don't think there are any objections to doing this, but I do have a few questions!

In the current release version(v1.0.4), it is not possible to select the behavior and will always stop to renew the token when some error occurs.

I'm curious to hear a little bit more about the types of renewal failures that we might encounter, and what the desired behavior would be for each of those. My hope is that there is a clear choice in the behavior, and that we would not need to expose this as configuration.

But I'm not sure when the next version will be released.(The latest release was on 26 Jul 2019.)

Yikes... Perhaps an issue on their repository asking if/when there will be another release? I think there's some general hesitation in moving dependencies to un-released versions

Finally, I assume that this is purely a client-side logic change that does not affect Vault API compatibility, right? In other words, will moving to api.LifetimeWatcher affect which Vault versions our plugin will work with?

[hiyosi]

@evan2645 Thank you for your reply.

My concern is to make sure that the token is renewed continues even if some errors.
So in the vault plugin, I'm thinking that we can use theRenewBehaviorIgnoreErrors behavior and we don't need to expose the behavior to plugin config.

	// RenewBehaviorIgnoreErrors means we will attempt to keep renewing until
	// we hit the lifetime threshold. It also ignores errors stemming from
	// passing a non-renewable lease in. In practice, this means you simply
	// reauthenticate/refetch credentials when the watcher exits. This is the
	// default.
	RenewBehaviorIgnoreErrors RenewBehavior = iota

I think this change is only affect the client code. So there is no affect which Vault versions our plugin will work with.
Further the LifetimeWatcher is used by the Vault internal since Vault 1.13(14 Nov 2019)
hashicorp/vault#7733

I'll create an issue on the hashicorp/vault repository ask them what they are thinking about the next release.

[hiyosi]

hashicorp/vault#10490

[hiyosi]

https://pkg.go.dev/github.com/hashicorp/vault/[email protected] has been released.
I'm going to proceed this issue!

[hiyosi]

PR has been merged.