Vault SDK - lifetime_watcher client "increment" and secret lease duration

I believe there is some unintended behavior in the lifetime_watcher sdk code. The sdk calculates a “grace period” using the value of the lease duration of the secret.

Here:

The unexpected behavior is when initializing a lifetime watcher with an increment value less than the lease duration. The grace period is calculated using the original lease duration, if the increment value is less than that grace value it will never sleep or renew.

In my case, the initial lease duration is 12 hours, but I’m trying to renew every 10 minutes (in case of a revocation). The grace period for 12 hours ends up being something near 2 hours which is greater than my increment value, forcing the return before the time.After call.

I believe this is a bug, but I posted here rather than issues to check my assumption. If there’s a different way to have shorter increments than the secrets default lease please let me know.

I believe this “priorDuration” should be a min(time.Duration(initLeaseDuration) * time.Second, r.increment)

Hey @vlaurenzano!

The links that you posted do not seem to work and/or are from a different repository than one managed by Hashicorp. Can you double check if these are the correct links?

@RemcoBuddelmeijer Thank you for pointing that out, it was linked from our private vendor folder. I’ve updated the links to hashicorp’s repository.