vault_lease

Beacon for the Vault integration. Sends events when a lease’s TTL undercuts a specified value. By default, also tries to renew leases before sending an event.

Added in version 1.1.0.

Event description

When a lease undercuts its minimum TTL, an event is sent.

The event tag’s format is: salt/beacon/<minion ID>/vault_lease_<lease cache key>/expire

The event data contains (non-exhaustive):

  • expires_in - number of seconds left until the lease is revoked by Vault (can be -1 if already revoked)

  • lease_id - the lease ID of the expiring lease

  • ckey - the cache key of the expiring lease

  • meta - custom metadata, e.g. for use in a reactor

  • expired - if the lease is already expired

Example configuration

beacons:
  vault_basic:
    - beacon_module: vault_lease
    - leases:
        - db.database.dynamic.basic_lease.default

  vault_advanced:
    - beacon_module: vault_lease
    - leases:
        db.database.dynamic.write_stuff.default: {}
        db.database.dynamic.monitoring.default:
          renew: false
        db.database.dynamic.read_stuff.default:
          min_ttl: 6h
          meta:
            sls: read.stuff
    - min_ttl: 1h
    - meta:
        sls: write.stuff
    - check_server: true

Example for enabling beacon via state

This beacon can be added dynamically when explicitly caching database leases.

Important Vault lease is cached:
  vault_db.creds_cached:
    - name: my_important_role
    - valid_for: 6h  # minimum TTL for the lease to be returned by get_creds
    - revoke_delay: 30m
    - beacon: true   # also add a beacon for monitoring
    - beacon_interval: 300  # interval between beacon runs
    - min_ttl: 12h   # minimum TTL for the beacon to accept the lease as valid
    - meta: my.important.state  # can be used with a reactor
    - order: first   # leases should be cached early

Configuration reference

leases

The leases to monitor, referenced by their cache keys. This can be a string (single lease), list (multiple leases) or mapping (multiple leases with parameter overrides).

min_ttl

The minimum TTL a monitored lease should have. Can be overridden per configured lease in lease_beacon.leases. If a min_ttl was set on the lease during its creation, this value must be equal or greater to have any effect. Defaults to 300.

check_server

Whether cached leases should be validated with the Vault server before declaring them as valid. Can be overridden per configured lease in lease_beacon.leases. There is no equivalent parameter that can be set on the lease during its creation currently. Defaults to false.

meta

Arbitrary metadata to include in expiry events. Can be overridden per configured lease in lease_beacon.leases. If meta was set on the lease during creation, the corresponding value takes precedence. If both values are either mappings or lists, they will be merged together.

renew

Before sending an event, try to renew the lease as needed. Defaults to true.

saltext.vault.beacons.vault_lease.validate(config)[source]

Validate the beacon configuration

saltext.vault.beacons.vault_lease.beacon(config)[source]

Watch the configured lease(s).