sending err back to fetch to trigger backoff retry

.golangci.yml

@@ -24,6 +24,7 @@ linters:
           allow:
             - $gostd
             - github.com/BurntSushi/toml
+            - github.com/cenkalti/backoff/v4
             - golang.org/x/sys/unix
             - golang.org/x/exp/maps
             - golang.org/x/text/cases

dependency/vault_common.go

@@ -20,8 +20,23 @@ var (
 	onceVaultDefaultLeaseDuration  sync.Once
 	VaultLeaseRenewalThreshold     float64
 	onceVaultLeaseRenewalThreshold sync.Once
+
+	// VaultTTLZeroMaxRetries is the maximum number of retries for TTL=0 cases
+	// Set to 0 for unlimited retries. Default: 0 (unlimited)
+	VaultTTLZeroMaxRetries = 0
+
+	// VaultTTLZeroMaxBackoff is the maximum backoff time for TTL=0 retries
+	// Default: 5 minutes
+	VaultTTLZeroMaxBackoff = 5 * time.Minute
 )
 
+// VaultTTLZeroError is returned when a rotating secret has TTL=0
+type VaultTTLZeroError struct{}
+
+func (e *VaultTTLZeroError) Error() string {
+	return "vault rotating secret returned ttl=0, will retry"
+}
+
 // Secret is the structure returned for every secret within Vault.
 type Secret struct {
 	// The request ID that generated this response
@@ -110,8 +125,8 @@ func renewSecret(clients *ClientSet, d renewer) error {
 }
 
 // leaseCheckWait accepts a secret and returns the recommended amount of
-// time to sleep.
-func leaseCheckWait(s *Secret) time.Duration {
+// time to sleep. Returns an error if TTL=0 to trigger retry mechanism.
+func leaseCheckWait(s *Secret) (time.Duration, error) {
 	// Handle whether this is an auth or a regular secret.
 	base := s.LeaseDuration
 	if s.Auth != nil && s.Auth.LeaseDuration > 0 {
@@ -143,11 +158,15 @@ func leaseCheckWait(s *Secret) time.Duration {
 	var rotatingSecret bool
 	if _, ok := s.Data["rotation_period"]; ok && s.LeaseID == "" {
 		if ttlInterface, ok := s.Data["ttl"]; ok {
-			if ttlData, err := ttlInterface.(json.Number).Int64(); err == nil {
+			if ttlData, err := ttlInterface.(json.Number).Int64(); err == nil && ttlData > 0 {
 				log.Printf("[DEBUG] Found rotation_period and set lease duration to %d seconds", ttlData)
 				// Add a second for cushion
 				base = int(ttlData) + 1
 				rotatingSecret = true
+			} else if err == nil && ttlData == 0 {
+				// TTL is 0, return error to trigger retry mechanism
+				log.Printf("[DEBUG] Found rotation_period with ttl=0, returning error to trigger retry")
+				return 0, &VaultTTLZeroError{}
 			}
 		}
 	}
@@ -186,7 +205,7 @@ func leaseCheckWait(s *Secret) time.Duration {
 		sleep = sleep * finalFraction
 	}
 
-	return time.Duration(sleep)
+	return time.Duration(sleep), nil
 }
 
 // printVaultWarnings prints warnings for a given dependency.

dependency/vault_common_test.go

@@ -20,15 +20,21 @@ func init() {
 
 func TestVaultRenewDuration(t *testing.T) {
 	renewable := Secret{LeaseDuration: 100, Renewable: true}
-	renewableDur := leaseCheckWait(&renewable).Seconds()
-	if renewableDur < 16 || renewableDur >= 34 {
-		t.Fatalf("renewable duration is not within 1/6 to 1/3 of lease duration: %f", renewableDur)
+	renewableDur, err := leaseCheckWait(&renewable)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if renewableDur.Seconds() < 16 || renewableDur.Seconds() >= 34 {
+		t.Fatalf("renewable duration is not within 1/6 to 1/3 of lease duration: %f", renewableDur.Seconds())
 	}
 
 	nonRenewable := Secret{LeaseDuration: 100}
-	nonRenewableDur := leaseCheckWait(&nonRenewable).Seconds()
-	if nonRenewableDur < 80 || nonRenewableDur > 95 {
-		t.Fatalf("renewable duration is not within 80%% to 95%% of lease duration: %f", nonRenewableDur)
+	nonRenewableDur, err := leaseCheckWait(&nonRenewable)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if nonRenewableDur.Seconds() < 80 || nonRenewableDur.Seconds() > 95 {
+		t.Fatalf("renewable duration is not within 80%% to 95%% of lease duration: %f", nonRenewableDur.Seconds())
 	}
 
 	data := map[string]interface{}{
@@ -37,11 +43,14 @@ func TestVaultRenewDuration(t *testing.T) {
 	}
 
 	nonRenewableRotated := Secret{LeaseDuration: 100, Data: data}
-	nonRenewableRotatedDur := leaseCheckWait(&nonRenewableRotated).Seconds()
+	nonRenewableRotatedDur, err := leaseCheckWait(&nonRenewableRotated)
+	if err != nil {
+		t.Fatal(err)
+	}
 
 	// We expect a 1 second cushion
-	if nonRenewableRotatedDur != 31 {
-		t.Fatalf("renewable duration is not 31: %f", nonRenewableRotatedDur)
+	if nonRenewableRotatedDur.Seconds() != 31 {
+		t.Fatalf("renewable duration is not 31: %f", nonRenewableRotatedDur.Seconds())
 	}
 
 	data = map[string]interface{}{
@@ -50,11 +59,25 @@ func TestVaultRenewDuration(t *testing.T) {
 	}
 
 	nonRenewableRotated = Secret{LeaseDuration: 100, Data: data}
-	nonRenewableRotatedDur = leaseCheckWait(&nonRenewableRotated).Seconds()
+	nonRenewableRotatedDur, err = leaseCheckWait(&nonRenewableRotated)
+	if err != nil {
+		t.Fatal(err)
+	}
 
 	// We expect a 1 second cushion
-	if nonRenewableRotatedDur != 6 {
-		t.Fatalf("renewable duration is not 6: %f", nonRenewableRotatedDur)
+	if nonRenewableRotatedDur.Seconds() != 6 {
+		t.Fatalf("renewable duration is not 6: %f", nonRenewableRotatedDur.Seconds())
+	}
+
+	// Test TTL=0 case - should return error
+	data = map[string]interface{}{
+		"rotation_period": json.Number("30"),
+		"ttl":             json.Number("0"),
+	}
+	nonRenewableRotatedZero := Secret{LeaseDuration: 100, Data: data}
+	_, err = leaseCheckWait(&nonRenewableRotatedZero)
+	if _, ok := err.(*VaultTTLZeroError); !ok {
+		t.Fatalf("expected VaultTTLZeroError for ttl=0, got: %v", err)
 	}
 
 	rawExpiration := time.Now().Unix() + 100
@@ -66,9 +89,12 @@ func TestVaultRenewDuration(t *testing.T) {
 	}
 
 	nonRenewableCert := Secret{LeaseDuration: 100, Data: data}
-	nonRenewableCertDur := leaseCheckWait(&nonRenewableCert).Seconds()
-	if nonRenewableCertDur < 80 || nonRenewableCertDur > 95 {
-		t.Fatalf("non renewable certificate duration is not within 80%% to 95%%: %f", nonRenewableCertDur)
+	nonRenewableCertDur, err := leaseCheckWait(&nonRenewableCert)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if nonRenewableCertDur.Seconds() < 80 || nonRenewableCertDur.Seconds() > 95 {
+		t.Fatalf("non renewable certificate duration is not within 80%% to 95%%: %f", nonRenewableCertDur.Seconds())
 	}
 
 	t.Run("secret ID handling", func(t *testing.T) {
@@ -80,10 +106,13 @@ func TestVaultRenewDuration(t *testing.T) {
 			}
 
 			nonRenewableSecretID := Secret{LeaseDuration: 100, Data: data}
-			nonRenewableSecretIDDur := leaseCheckWait(&nonRenewableSecretID).Seconds()
+			nonRenewableSecretIDDur, err := leaseCheckWait(&nonRenewableSecretID)
+			if err != nil {
+				t.Fatal(err)
+			}
 
-			if nonRenewableSecretIDDur < 0.80*(60+1) || nonRenewableSecretIDDur > 0.95*(60+1) {
-				t.Fatalf("renewable duration is not within 80%% to 95%% of lease duration: %f", nonRenewableSecretIDDur)
+			if nonRenewableSecretIDDur.Seconds() < 0.80*(60+1) || nonRenewableSecretIDDur.Seconds() > 0.95*(60+1) {
+				t.Fatalf("renewable duration is not within 80%% to 95%% of lease duration: %f", nonRenewableSecretIDDur.Seconds())
 			}
 		})
 
@@ -96,10 +125,13 @@ func TestVaultRenewDuration(t *testing.T) {
 			}
 
 			nonRenewableSecretID := Secret{LeaseDuration: leaseDuration, Data: data}
-			nonRenewableSecretIDDur := leaseCheckWait(&nonRenewableSecretID).Seconds()
+			nonRenewableSecretIDDur, err := leaseCheckWait(&nonRenewableSecretID)
+			if err != nil {
+				t.Fatal(err)
+			}
 
-			if nonRenewableSecretIDDur < 0.80*(leaseDuration+1) || nonRenewableSecretIDDur > 0.95*(leaseDuration+1) {
-				t.Fatalf("renewable duration is not within 80%% to 95%% of lease duration: %f", nonRenewableSecretIDDur)
+			if nonRenewableSecretIDDur.Seconds() < 0.80*(leaseDuration+1) || nonRenewableSecretIDDur.Seconds() > 0.95*(leaseDuration+1) {
+				t.Fatalf("renewable duration is not within 80%% to 95%% of lease duration: %f", nonRenewableSecretIDDur.Seconds())
 			}
 		})
 
@@ -111,10 +143,13 @@ func TestVaultRenewDuration(t *testing.T) {
 			}
 
 			nonRenewableSecretID := Secret{LeaseDuration: leaseDuration, Data: data}
-			nonRenewableSecretIDDur := leaseCheckWait(&nonRenewableSecretID).Seconds()
+			nonRenewableSecretIDDur, err := leaseCheckWait(&nonRenewableSecretID)
+			if err != nil {
+				t.Fatal(err)
+			}
 
-			if nonRenewableSecretIDDur < 0.80*(leaseDuration+1) || nonRenewableSecretIDDur > 0.95*(leaseDuration+1) {
-				t.Fatalf("renewable duration is not within 80%% to 95%% of lease duration: %f", nonRenewableSecretIDDur)
+			if nonRenewableSecretIDDur.Seconds() < 0.80*(leaseDuration+1) || nonRenewableSecretIDDur.Seconds() > 0.95*(leaseDuration+1) {
+				t.Fatalf("renewable duration is not within 80%% to 95%% of lease duration: %f", nonRenewableSecretIDDur.Seconds())
 			}
 		})
 	})

dependency/vault_read.go

@@ -88,7 +88,11 @@ func (d *VaultReadQuery) Fetch(clients *ClientSet, opts *QueryOptions,
 	}
 
 	if !vaultSecretRenewable(d.secret) {
-		dur := leaseCheckWait(d.secret)
+		dur, err := leaseCheckWait(d.secret)
+		if err != nil {
+			// TTL=0 case - return error to trigger retry mechanism
+			return nil, nil, err
+		}
 		log.Printf("[TRACE] %s: non-renewable secret, set sleep for %s", d, dur)
 		d.sleepCh <- dur
 	}

dependency/vault_write.go

@@ -91,7 +91,11 @@ func (d *VaultWriteQuery) Fetch(clients *ClientSet, opts *QueryOptions,
 	d.secret = transformSecret(vaultSecret)
 
 	if !vaultSecretRenewable(d.secret) {
-		dur := leaseCheckWait(d.secret)
+		dur, err := leaseCheckWait(d.secret)
+		if err != nil {
+			// TTL=0 case - return error to trigger retry mechanism
+			return nil, nil, err
+		}
 		log.Printf("[TRACE] %s: non-renewable secret, set sleep for %s", d, dur)
 		d.sleepCh <- dur
 	}