This repository was archived by the owner on Jun 19, 2025. It is now read-only.
Tags: minio/kes
Tags
vault: reset token TTL to 0 when renewing token (#501) This commit resets the token TTL to zero once we start another re-authentication attempt. The reason is that if we fail to re-authenticate, we should not wait again for 80% of the prev. token TTL but instead re-authenticate right away. Signed-off-by: Andreas Auernhammer <github@aead.dev>
vault: delay the usage of renewed auth tokens (#488) This commit adds a delay that has to ellapse before a new Vault auth. token is used. A dist. Vault cluster may experience some replication lag. Hence, some cluster nodes already have the renewed token while others don't. If KES makes a request to a Vault node that does not have the renewed token, then the Vault node will reject the request. By waiting a certain amount of time (e.g. 30s) KES allows the Vault cluster to sync a renewed token to all peer nodes. KES cannot know when the token will be replicated but 30s seems a reasonable value for most practical purposes. Signed-off-by: Andreas Auernhammer <github@aead.dev> Co-authored-by: kannappanr <30541348+kannappanr@users.noreply.github.com>
vault: do not reuse TCP connections (#486) This commit disables TCP connection reuse for Vault. Apparently, TCP connections to Vault might hang if Vault gets shutdown forcefully. The downside of this commit is that KES has to re-open a new TCP connection for every interaction with Vault. However, KES should not rach out to Vault most of them time. Hence, this change seems acceptable. Signed-off-by: Andreas Auernhammer <github@aead.dev>
entrust: use reasonable defaults for HTTP transport (#477) This commit fixes the HTTP transport of the entrust keycontrol client to use a connection pool to reuse connections or close idle ones. Signed-off-by: Andreas Auernhammer <github@aead.dev>
fix goroutine leak when reloading server config (#469) This commit fixes a goroutine leak that occurs when reloading the server configuration. During a config reload, the server establishes a 2nd connection to the backend keystore and replaces the existing connection with the newly opened one. The switch is performed atomically (without locking) to not block or abort ongoing requests. Once the server has replaced the keystore connection, it closes it. Before this commit, the server stopped the in-memory key cache and its GC goroutines. However, it did not close any resources (goroutines/file descriptors) allocated by the replaced keystore. This commit fixes this. Signed-off-by: Andreas Auernhammer <github@aead.dev>
PreviousNext