Envconsul version

envconsul v0.13.0 (c9c55c9)

Configuration

renew_token = true should probably be redundant like with a plaintext token, as there's no agent involved. Anyway, it makes no difference and doesn't help to resolve the issue.

# /etc/envconsul.d/01-common.hcl
log_level = "warn"
exec {
  splay        = "5s"
  kill_timeout = "10s"
}
max_stale = "1m"
sanitize  = true
upcase    = true

vault {
  address     = "https://vault-active.vault.svc:8200"
  renew_token = true
  ssl {
    enabled = true
    verify  = true
    ca_cert = "/run/secrets/kubernetes.io/serviceaccount/ca.crt"
    server_name = "vault.vault.svc"
  }
}

# /etc/envconsul.d/02-config.hcl
vault {
  k8s_auth_role_name = "my-role"
}
secret {
  path      = "database/creds/my-database-role"
  no_prefix = true
  format    = "DATABASE_{{ key }}"
}
secret {
  path      = "secrets/some/secret"
  no_prefix = true
  format    = "SOME_PREFIX_{{ key }}"
}

Command

envconsul -config /etc/envconsul.d -log-level=debug sleep infinity

Debug output

For demo purpose I set the Vault Kubernetes role token initial TTL to 60 seconds. Max TTL is 1 hour, so it has no effect on the outcome. I also tried with different initial TTL, max TTL and period from a few minutes to a few hours, the result is always the same: once the initial TTL expires, envconsul starts to log 403s.
https://gist.github.com/dizeee/7bfa522a44ccab6852ecb8557b414eaf

Expected behavior

Vault token is renewed before its TTL expires. It would also be nice to rotate the token when max TTL is reached.

Actual behavior

403 errors appear in the log after the token TTL expires.

References

• Add support for vault kubernetes authentication #274