1

The spring-cloud-vault Lease lifecycle management (renewal and revocation) documentation states that:

spring.cloud.vault.config.lifecycle.min-renewal: sets the duration that is at least required before renewing a lease. This setting prevents renewals from happening too often.

spring.cloud.vault.config.lifecycle.expiry-threshold: sets the expiry theshold. A lease is renewed the configured period of time before it expires.

I'm having a hard time understanding the difference between these two configuration options. It would be helpful to be given an example of how each of these parameters affects the lease renewal lifecycle. For example: it seems pretty clear to me that if the lease TTL is 10 minutes, and if the expiry-threshold is set to 1 minute, then 9 minutes after the lease is acquired spring-cloud-vault would renew the lease. But if that it true what is the purpose for the min-renewal configuration parameter?

Community
  • 1
  • 1
axiopisty
  • 4,972
  • 8
  • 44
  • 73

1 Answers1

3

The expiry threshold controls the renewal time at which the lease is renewed.

For example: it seems pretty clear to me that if the lease TTL is 10 minutes, and if the expiry-threshold is set to 1 minute, then 9 minutes after the lease is acquired spring-cloud-vault would renew the lease.

Your understanding is correct.

What's about min-renewal?

When the remaining validity time of your lease is less than 1 minute (say 30 seconds), then the calculated renewal time would be 30 seconds in the past (or now, as we cannot schedule things to happen in the past). min-renewal helps to debounce renewal requests. This is because, in such a scenario, refresh happens immediately.

Once renewed, SecretLeaseContainer schedules a subsequent renewal that reports a lease validity of slightly less than 30 seconds. We don't want to create a loop that hammers your Vault server with renewal requests if the remaining lease duration is less than expiry-threshold.

Example:

  • expiry-threshold: 60 seconds
  • min-renewal: 10 seconds

The following list of events shows with a time correlation what happens at which time assuming the TTL is final and cannot be extended:

  • 10:00:00 Lease obtained. TTL 10 minutes (600 seconds). Schedule lease renewal in 9 minutes (10 minutes TTL - 1 minute expiry threshold -> 9 minutes)
  • 10:09:00 Lease renewed. Remaining TTL 1 minute (60 seconds). Schedule lease renewal in 10 seconds (1 minute TTL - 1 minute expiry threshold -> 0 minutes. Fall back to 10 seconds min-renewal as that is the larger value -> 10 seconds).
  • 10:09:10 Lease renewed. Remaining TTL 50 seconds. Schedule lease renewal in 10 seconds (50 seconds TTL - 1 minute expiry threshold -> -10 seconds. Fall back to 10 seconds min-renewal as that is the larger value -> 10 seconds).
  • (continue until reaching 10 seconds)
  • 10:09:50 Lease renewed. Remaining TTL less than 10 seconds. Min-renewal is greater than the remaining TTL and the lease is considered expired.

Example where expiry threshold is greater than min-renewal:

  • expiry-threshold: 5 minutes (180 seconds)
  • min-renewal: 6 minutes (360 seconds)

The following list of events shows with a time correlation what happens at which time assuming the TTL is final and cannot be extended:

  • 10:00:00 Lease obtained. TTL 10 minutes (600 seconds). Schedule lease renewal in 6 minutes (10 minutes TTL - 5 minute expiry threshold -> 5 minutes. Min-renewal is set to 6 minutes to issue a renewal at most once in 6 minutes -> 6 minutes)

  • 10:06:00 Lease obtained. TTL 4 minutes (360 seconds). Schedule lease renewal in 6 minutes (4 minutes TTL - 5 minute expiry threshold -> -1 minutes. 6 minutes min-renewal as that is the is greater than the remaining TTL so the lease is considered expired)

mp911de
  • 17,546
  • 2
  • 55
  • 95
  • Thanks. That helps, but I think it could be more clear if you continue to demonstrate exactly how min-renewal affects the lease renewal in your example by providing a concrete example. Does it make sense that this value should be set to a positive value that is less than or equal to the expiry-threshold? What would happen if it is larger than the expiry-threshold? – axiopisty Jan 08 '20 at 17:27
  • Hmm. Now I'm curious why this logic even exists in the first place. Maybe I need to find the correct place to ask the spring-cloud-vault developers. Vault discloses the max_ttl as part of its response along with if the lease is renewable or not. If the lease is not renewable (the TTL is final) then what value is gained by scheduling incrementally smaller leases once the TTL <= expiry-threshold? I'm trying to understand the value this provides. It looks to me like it just causes noise on the vault server (given that the TTL is final). – axiopisty Jan 08 '20 at 18:48
  • 1
    There are multiple reasons for this arrangement. At the time where `SecretLeaseContainer` was built, `max_ttl` wasn't part of the response so Spring Vault had no means to know how long the TTL could be extended. With `max_ttl` in place, the last roundtrips can be eliminated when the absolute remaining TTL is shorter than the threshold. Another reason is that `min-renewal` can be used to debounce requests (sort of a rate limiter) by considering a lease expired instead of triggering renewal requests. – mp911de Jan 08 '20 at 18:58
  • spring.cloud.vault: config.lifecycle: enabled: true // Default is true min-renewal: 10s expiry-threshold: 1m lease-endpoints: Legacy What if don't sent any value for min-renewal, expiry-threshold, and lease-endpoints ..Do they hold any default value ? or renew will not happen? – Sanjay Jain Dec 21 '21 at 06:20