fix(jupyterhub): admin vault token renewal

jupyterhub/vault-token-renewer.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 # Script to handle admin token retrieval and renewal
 
 set -e
@@ -23,7 +23,69 @@ if [ -z "$ADMIN_TOKEN" ]; then
 fi
 
 echo "Admin token retrieved from ExternalSecret"
-echo "$ADMIN_TOKEN" > /vault/secrets/vault-token
+echo "$ADMIN_TOKEN" >/vault/secrets/vault-token
+
+# Calculate renewal interval (TTL/2, minimum 30 seconds)
+# Use JUPYTERHUB_VAULT_TOKEN_TTL environment variable if available
+if [ -n "${JUPYTERHUB_VAULT_TOKEN_TTL}" ]; then
+    echo "Using TTL from environment variable: ${JUPYTERHUB_VAULT_TOKEN_TTL}"
+    TTL_RAW="${JUPYTERHUB_VAULT_TOKEN_TTL}"
+else
+    echo "Looking up token TTL..."
+    if vault token lookup >/dev/null 2>&1; then
+        echo "Token is valid, using default 5m interval for now"
+        TTL_RAW="300" # 5 minutes for testing
+    else
+        echo "Token lookup failed, using default TTL"
+        TTL_RAW="86400"
+    fi
+fi
+
+echo "Raw TTL: $TTL_RAW"
+
+# Convert TTL format (e.g., "4m9s", "3600", "0") to seconds
+convert_ttl_to_seconds() {
+    local ttl="$1"
+
+    # If already a number (seconds), return as-is
+    if echo "$ttl" | grep -E '^[0-9]+$' >/dev/null; then
+        echo "$ttl"
+        return
+    fi
+
+    # If contains time units (e.g., "4m9s")
+    local hours=0
+    local minutes=0
+    local seconds=0
+    if echo "$ttl" | grep -E '[0-9]+h' >/dev/null; then
+        hours=$(echo "$ttl" | sed -n 's/.*\([0-9]\+\)h.*/\1/p')
+        seconds=$((seconds + hours * 3600))
+    fi
+    if echo "$ttl" | grep -E '[0-9]+m' >/dev/null; then
+        minutes=$(echo "$ttl" | sed -n 's/.*\([0-9]\+\)m.*/\1/p')
+        seconds=$((seconds + minutes * 60))
+    fi
+    if echo "$ttl" | grep -E '[0-9]+s' >/dev/null; then
+        secs=$(echo "$ttl" | sed -n 's/.*\([0-9]\+\)s.*/\1/p')
+        seconds=$((seconds + secs))
+    fi
+    echo "$seconds"
+}
+
+TTL_SECONDS=$(convert_ttl_to_seconds "$TTL_RAW")
+
+if [ "$TTL_SECONDS" = "0" ]; then
+    # If TTL is 0 (never expires), use default 12h interval
+    RENEWAL_INTERVAL=43200
+else
+    # Renew at TTL/2, with minimum of 30 seconds
+    RENEWAL_INTERVAL=$((TTL_SECONDS / 2))
+    if [ "$RENEWAL_INTERVAL" -lt 30 ]; then
+        RENEWAL_INTERVAL=30
+    fi
+fi
+
+echo "Token TTL: ${TTL_SECONDS}s, renewal interval: ${RENEWAL_INTERVAL}s"
 
 # Start token renewal loop
 export VAULT_TOKEN="$ADMIN_TOKEN"
@@ -36,12 +98,12 @@ while true; do
         # Re-read token from mounted secret
         ADMIN_TOKEN=$(cat /vault/admin-token/token 2>/dev/null || echo "")
         if [ -n "$ADMIN_TOKEN" ]; then
-            echo "$ADMIN_TOKEN" > /vault/secrets/vault-token
+            echo "$ADMIN_TOKEN" >/vault/secrets/vault-token
             export VAULT_TOKEN="$ADMIN_TOKEN"
             echo "$(date): Token re-retrieved successfully from ExternalSecret"
         else
             echo "$(date): Failed to re-retrieve token from ExternalSecret"
         fi
     fi
-    sleep 43200  # 12 hours
-done
+    sleep $RENEWAL_INTERVAL
+done