add support for 'LeaseRenewalThreshold' in vault agent (#25212)

* add support for 'LeaseRenewalThreshold' in vault agent * allow LeaseRenewalThreshold to be nil * address review comments * Add changelog --------- Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2026-02-03 20:40:45 -05:00 · 2024-02-26 12:49:31 -08:00 · 2024-02-26 12:49:31 -08:00 · 19aeaa57a6
commit 19aeaa57a6
parent ae9ec39d44
6 changed files with 20 additions and 2 deletions
--- a/changelog/25212.txt
+++ b/changelog/25212.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+agent: Added a new config option, `lease_renewal_threshold`, that controls the refresh rate of non-renewable leases in Agent's template engine.
+```
--- a/command/agent/config/config.go
+++ b/command/agent/config/config.go
@ -169,6 +169,7 @@ type TemplateConfig struct {
 	StaticSecretRenderInt    time.Duration `hcl:"-"`
 	MaxConnectionsPerHostRaw interface{}   `hcl:"max_connections_per_host"`
 	MaxConnectionsPerHost    int           `hcl:"-"`
+	LeaseRenewalThreshold    *float64      `hcl:"lease_renewal_threshold"`
 }

 type ExecConfig struct {
--- a/command/agent/config/config_test.go
+++ b/command/agent/config/config_test.go
@ -17,6 +17,10 @@ import (
 	"golang.org/x/exp/slices"
 )

+func FloatPtr(t float64) *float64 {
+	return &t
+}
+
 func TestLoadConfigFile_AgentCache(t *testing.T) {
 	config, err := LoadConfigFile("./test-fixtures/config-cache.hcl")
 	if err != nil {
@ -1046,6 +1050,7 @@ func TestLoadConfigFile_TemplateConfig(t *testing.T) {
 				ExitOnRetryFailure:    true,
 				StaticSecretRenderInt: 1 * time.Minute,
 				MaxConnectionsPerHost: 100,
+				LeaseRenewalThreshold: FloatPtr(0.8),
 			},
 		},
 		"empty": {
--- a/command/agent/config/test-fixtures/config-template_config.hcl
+++ b/command/agent/config/test-fixtures/config-template_config.hcl
@ -12,6 +12,7 @@ template_config {
  exit_on_retry_failure = true
  static_secret_render_interval = 60
  max_connections_per_host = 100
+  lease_renewal_threshold = 0.8
 }

 template {
--- a/command/agent/internal/ctmanager/runner_config.go
+++ b/command/agent/internal/ctmanager/runner_config.go
@ -38,8 +38,12 @@ func NewConfig(mc ManagerConfig, templates ctconfig.TemplateConfigs) (*ctconfig.
 		conf.Vault.Namespace = &mc.Namespace
 	}

-	if mc.AgentConfig.TemplateConfig != nil && mc.AgentConfig.TemplateConfig.StaticSecretRenderInt != 0 {
-		conf.Vault.DefaultLeaseDuration = &mc.AgentConfig.TemplateConfig.StaticSecretRenderInt
+	if mc.AgentConfig.TemplateConfig != nil {
+		conf.Vault.LeaseRenewalThreshold = mc.AgentConfig.TemplateConfig.LeaseRenewalThreshold
+
+		if mc.AgentConfig.TemplateConfig.StaticSecretRenderInt != 0 {
+			conf.Vault.DefaultLeaseDuration = &mc.AgentConfig.TemplateConfig.StaticSecretRenderInt
+		}
 	}

 	if mc.AgentConfig.DisableIdleConnsTemplating {
--- a/website/content/docs/agent-and-proxy/agent/template.mdx
+++ b/website/content/docs/agent-and-proxy/agent/template.mdx
@ -111,6 +111,10 @@ failures.
  that the Vault Agent templating engine can use for a particular Vault host. This limit
  includes connections in the dialing, active, and idle states.

+- `lease_renewal_threshold` `(float: 0.9)` - How long Vault Agent's template
+  engine should wait for to refresh dynamic, non-renewable leases, measured as
+  a fraction of the lease duration.
+
 ### `template_config` stanza example

 ```hcl