Skip to content

Skip renewal for non-renewable Vault tokens #9208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 23, 2025
Merged

Skip renewal for non-renewable Vault tokens #9208

merged 1 commit into from
Jun 23, 2025

Conversation

IvanChalukov
Copy link
Contributor

Changes proposed by this PR

This PR, developed in collaboration with @Kump3r, addresses scenarios where Vault tokens cannot be self-renewed, such as Batch tokens. In our environment, over 2,000 pipelines across 60 teams use Batch Vault tokens to collect information. This results in millions of renewal attempts each month, all of which fail because Batch tokens are non-renewable.

  • ensure that vault token is renewable

Notes to reviewer

Service tokens and Batch tokens comparison could be found in Token type comparison

Release Note

  • Improved Vault token renewal logic to skip non-renewable tokens like Batch tokens, reducing unnecessary renewal attempts.

@IvanChalukov
enhance token renewal logic to check for renewability before attempti…
def863a 
…ng renewal

Signed-off-by: IvanChalukov <ichalukov@gmail.com>
@IvanChalukov IvanChalukov requested a review from a team as a code owner May 27, 2025 11:51
@Kump3r Kump3r added the bug label May 27, 2025
Kump3r
Kump3r approved these changes May 27, 2025
View reviewed changes
Copy link
Contributor

@Kump3r Kump3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested the implementation with both Batch and service tokens:

  1. batch tokens are skipped after the lookup and never try to be renewed. After restart of the web additional lookup is done for each token, but again only once and no renew requests are done
  2. service tokens continue to work as before and we see a successful renew info log in the output logs. No further requests are made until the time duration requires a new retry request.
    We haven't executed any integration/unit tests as we failed to find such. Let us know if we just missed them and they need to be addressed.
    Good job @IvanChalukov and thanks for the PR!

@Kump3r Kump3r moved this from Todo to In Progress in Pull Requests May 28, 2025
@taylorsilva taylorsilva merged commit 2f202ed into concourse:master Jun 23, 2025
12 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Pull Requests Jun 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taylorsilva taylorsilva taylorsilva approved these changes

+1 more reviewer

@Kump3r Kump3r Kump3r approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@IvanChalukov IvanChalukov

@Kump3r Kump3r

Labels
bug
Projects
Pull Requests
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@IvanChalukov @taylorsilva @Kump3r