baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
543b37c9d1ed8681b6873c76cb244060f2511e2c
buun-stack/jupyterhub/vault-token-renewer.sh
Masaki Yatsu 4df776c181 fix(jupyterhub): admin vault token renewal
2025-09-08 18:43:08 +09:00

110 lines
3.3 KiB
Bash
Raw Blame History

#!/bin/bash
# Script to handle admin token retrieval and renewal
set -e
echo "Starting Vault token management..."
export VAULT_ADDR="${VAULT_ADDR}"
# Wait for ExternalSecret to create the secret
echo "Waiting for admin token from ExternalSecret..."
while [ ! -f /vault/admin-token/token ]; do
echo "Waiting for /vault/admin-token/token..."
sleep 5
done
# Read admin token from mounted secret
ADMIN_TOKEN=$(cat /vault/admin-token/token)
if [ -z "$ADMIN_TOKEN" ]; then
echo "ERROR: No admin token found in mounted secret"
exit 1
fi
echo "Admin token retrieved from ExternalSecret"
echo "$ADMIN_TOKEN" >/vault/secrets/vault-token
# Calculate renewal interval (TTL/2, minimum 30 seconds)
# Use JUPYTERHUB_VAULT_TOKEN_TTL environment variable if available
if [ -n "${JUPYTERHUB_VAULT_TOKEN_TTL}" ]; then
echo "Using TTL from environment variable: ${JUPYTERHUB_VAULT_TOKEN_TTL}"
TTL_RAW="${JUPYTERHUB_VAULT_TOKEN_TTL}"
else
echo "Looking up token TTL..."
if vault token lookup >/dev/null 2>&1; then
echo "Token is valid, using default 5m interval for now"
TTL_RAW="300" # 5 minutes for testing
else
echo "Token lookup failed, using default TTL"
TTL_RAW="86400"
fi
fi
echo "Raw TTL: $TTL_RAW"
# Convert TTL format (e.g., "4m9s", "3600", "0") to seconds
convert_ttl_to_seconds() {
local ttl="$1"
# If already a number (seconds), return as-is
if echo "$ttl" | grep -E '^[0-9]+$' >/dev/null; then
echo "$ttl"
return
fi
# If contains time units (e.g., "4m9s")
local hours=0
local minutes=0
local seconds=0
if echo "$ttl" | grep -E '[0-9]+h' >/dev/null; then
hours=$(echo "$ttl" | sed -n 's/.*\([0-9]\+\)h.*/\1/p')
seconds=$((seconds + hours * 3600))
fi
if echo "$ttl" | grep -E '[0-9]+m' >/dev/null; then
minutes=$(echo "$ttl" | sed -n 's/.*\([0-9]\+\)m.*/\1/p')
seconds=$((seconds + minutes * 60))
fi
if echo "$ttl" | grep -E '[0-9]+s' >/dev/null; then
secs=$(echo "$ttl" | sed -n 's/.*\([0-9]\+\)s.*/\1/p')
seconds=$((seconds + secs))
fi
echo "$seconds"
}
TTL_SECONDS=$(convert_ttl_to_seconds "$TTL_RAW")
if [ "$TTL_SECONDS" = "0" ]; then
# If TTL is 0 (never expires), use default 12h interval
RENEWAL_INTERVAL=43200
else
# Renew at TTL/2, with minimum of 30 seconds
RENEWAL_INTERVAL=$((TTL_SECONDS / 2))
if [ "$RENEWAL_INTERVAL" -lt 30 ]; then
RENEWAL_INTERVAL=30
fi
fi
echo "Token TTL: ${TTL_SECONDS}s, renewal interval: ${RENEWAL_INTERVAL}s"
# Start token renewal loop
export VAULT_TOKEN="$ADMIN_TOKEN"
while true; do
echo "$(date): Renewing admin token..."
if vault token renew >/dev/null 2>&1; then
echo "$(date): Token renewed successfully"
else
echo "$(date): Token renewal failed - trying to retrieve token again from ExternalSecret"
# Re-read token from mounted secret
ADMIN_TOKEN=$(cat /vault/admin-token/token 2>/dev/null || echo "")
if [ -n "$ADMIN_TOKEN" ]; then
echo "$ADMIN_TOKEN" >/vault/secrets/vault-token
export VAULT_TOKEN="$ADMIN_TOKEN"
echo "$(date): Token re-retrieved successfully from ExternalSecret"
else
echo "$(date): Failed to re-retrieve token from ExternalSecret"
fi
fi
sleep $RENEWAL_INTERVAL
done
Reference in New Issue View Git Blame Copy Permalink