Guys, I have installed Vault on GKE cluster and I have deployed my API services to the different GKE clusterts. All the API uses some env
& secrets
from vault server using kubernetes authentication. All working fine. But after 1 month application couldn’t able to fetch secret and consul-template continuously restarting and lagging my applications. My vault secret default lease configure default_lease_ttl 768h
. So as per my finding application break the connection after completed given lease ttl. Is there any way to increase these default TTL or set it to maximum ?
I am getting below error.
2020-04-14T10:38:02.245933588Z URL: PUT https://my-vault:8200/v1/auth/token/renew-self
E
2020-04-14T10:38:02.245940057Z Code: 403. Errors:
E
2020-04-14T10:38:02.245946053Z
E
2020-04-14T10:38:02.245951689Z * permission denied
E
2020-04-14T10:38:02.245957718Z 2020/04/14 10:38:02.245743 [WARN] vault.token: renewer done (maybe the lease expired)
E
2020-04-14T10:38:02.245992681Z 2020/04/14 10:38:02.245822 [WARN] (view) lease expired or is not renewable (retry attempt 6 after "32s")
E
2020-04-14T10:38:34.213575145Z 2020/04/14 10:38:34.213418 [WARN] (view) vault.read(secrets/kubernetes/cluster/stage/myservice/config): vault.read(secrets/kubernetes/cluster/stage/myservice/config): Error making API request.
E
2020-04-14T10:38:34.213623165Z
E
2020-04-14T10:38:34.213631105Z URL: GET https://my-vault:8200/v1/secrets/kubernetes/cluster/stage/myservice/config
E
2020-04-14T10:38:34.213637531Z Code: 403. Errors:
E
2020-04-14T10:38:34.213657305Z
E
here is my Consul template :
vault {
vault_agent_token_file = "/home/vault/.vault-token"
renew_token = true
ssl {
ca_cert = "/etc/vault/tls/ca.pem"
}
retry {
backoff = "1s"
}
}
template {
contents = <<EOF
{{with secret "secrets/kubernetes/cluster/stage/myservice/config"}}
{{.Data.env}}
{{end}}
EOF
destination = "/etc/secrets/.env"
}