The spring-cloud-vault Lease lifecycle management (renewal and revocation) documentation states that:
spring.cloud.vault.config.lifecycle.min-renewal: sets the duration that is at least required before renewing a lease. This setting prevents renewals from happening too often.
spring.cloud.vault.config.lifecycle.expiry-threshold: sets the expiry theshold. A lease is renewed the configured period of time before it expires.
I'm having a hard time understanding the difference between these two configuration options. It would be helpful to be given an example of how each of these parameters affects the lease renewal lifecycle. For example: it seems pretty clear to me that if the lease TTL is 10 minutes, and if the expiry-threshold is set to 1 minute, then 9 minutes after the lease is acquired spring-cloud-vault would renew the lease. But if that it true what is the purpose for the min-renewal configuration parameter?
The expiry threshold controls the renewal time at which the lease is renewed.
For example: it seems pretty clear to me that if the lease TTL is 10 minutes, and if the expiry-threshold is set to 1 minute, then 9 minutes after the lease is acquired spring-cloud-vault would renew the lease.
Your understanding is correct.
What's about min-renewal
?
When the remaining validity time of your lease is less than 1 minute (say 30 seconds), then the calculated renewal time would be 30 seconds in the past (or now, as we cannot schedule things to happen in the past). min-renewal
helps to debounce renewal requests. This is because, in such a scenario, refresh happens immediately.
Once renewed, SecretLeaseContainer
schedules a subsequent renewal that reports a lease validity of slightly less than 30 seconds. We don't want to create a loop that hammers your Vault server with renewal requests if the remaining lease duration is less than expiry-threshold
.
Example:
expiry-threshold
: 60 secondsmin-renewal
: 10 secondsThe following list of events shows with a time correlation what happens at which time assuming the TTL is final and cannot be extended:
10 minutes TTL - 1 minute
expiry threshold -> 9 minutes
)1 minute TTL - 1 minute
expiry threshold -> 0 minutes. Fall back to 10 seconds
min-renewal as that is the larger value -> 10 seconds
).50 seconds TTL - 1 minute
expiry threshold -> -10 seconds
. Fall back to 10 seconds min-renewal as that is the larger value -> 10 seconds).10 seconds
)10 seconds
. Min-renewal is greater than the remaining TTL and the lease is considered expired.Example where expiry threshold is greater than min-renewal:
expiry-threshold
: 5 minutes (180 seconds)min-renewal
: 6 minutes (360 seconds)The following list of events shows with a time correlation what happens at which time assuming the TTL is final and cannot be extended:
10:00:00 Lease obtained. TTL 10 minutes
(600 seconds). Schedule lease renewal in 6 minutes (10 minutes TTL - 5 minute
expiry threshold -> 5 minutes
. Min-renewal is set to 6 minutes to issue a renewal at most once in 6 minutes
-> 6 minutes
)
10:06:00 Lease obtained. TTL 4 minutes
(360 seconds). Schedule lease renewal in 6 minutes (4 minutes TTL - 5 minute
expiry threshold -> -1 minutes
. 6 minutes
min-renewal as that is the is greater than the remaining TTL so the lease is considered expired)