Delay between revocation of database credentials and its lease?

The dynamic database credentials are very helpful, however we are running an app that doesn’t do renewal of these creds itself. We accomplish this through the nomad template stanza, with the with secret tag.

Now we also have splay defined there, as we don’t like our web servers to be restarted all at the same time. But my question is: is there a delay between vault revoking the lease of those credentials (thus triggering the restart) and the actual revocation? If not, then the splay attribute isn’t actually usable, as my app would already be denied database access.

And is there any way to tune the delay, to accomodate a certain splay?

Related: Support re-rendering template expressions with no service disruption · Issue #6151 · hashicorp/nomad · GitHub

That’d be unusual use of the secret engine. What I have seen is A) You control the source code, and make the application vault aware. Now the application knows when the token/lease expires and it can renew and update it’s credentials. B) You run an application as a run-and-terminate where it needs access so you write a shell script that auths to Vault, gets the credential, runs the program and then revokes the lease at the end of the run.

My guess is that with your application you can use (B) above, but set the lease to the MaxLease time … assuming that’s the default 32 days that’ll give you 32 days between restarts.

Well I don’t think it is that unusual. In the spirit of 12factor apps, I don’t think my app should need to deal with those leases. And in this case Nomad is happy to arrange them. However it seems that Nomad doesn’t extend the lease? And if there is indeed an end to the lease, it would be very nice to be able to gracefully stop/restart (ie getting a signal), instead of discovering your creds were revoked in an unrecoverable manner.