s3: allow config value for secrets refresh interval

ahouene · ahouene · commit d289bc8019cd · 2023-09-12T16:05:37.000+02:00
diff --git a/backends/s3/credentials.go b/backends/s3/credentials.go
@@ -21,6 +21,9 @@ type FileSecretsCredentials struct {
 	// Path to the file containing the secret key,
 	// e.g. /etc/s3-secrets/secret-key.
 	SecretKeyFile string
+
+	// Time between each secrets retrieval.
+	RefreshInterval time.Duration
 }
 
 // Retrieve implements credentials.Provider.
@@ -40,7 +43,7 @@ func (c *FileSecretsCredentials) Retrieve() (credentials.Value, error) {
 		SecretAccessKey: string(secretKey),
 	}
 
-	c.SetExpiration(time.Now().Add(time.Second), -1)
+	c.SetExpiration(time.Now().Add(c.RefreshInterval), -1)
 
 	return creds, err
 }
diff --git a/backends/s3/s3.go b/backends/s3/s3.go
@@ -37,6 +37,9 @@ const (
 	// DefaultUpdateMarkerForceListInterval is the default value for
 	// UpdateMarkerForceListInterval.
 	DefaultUpdateMarkerForceListInterval = 5 * time.Minute
+	// DefaultSecretsRefreshInterval is the default value for RefreshSecrets.
+	// It should not be too high so as to retrieve secrets regularly.
+	DefaultSecretsRefreshInterval = 15 * time.Second
 )
 
 // Options describes the storage options for the S3 backend
@@ -55,6 +58,12 @@ type Options struct {
 	// e.g. /etc/s3-secrets/secret-key.
 	SecretKeyFile string `yaml:"secret_key_file"`
 
+	// Time between each secrets retrieval.
+	// Minimum is 1s, lower values are considered an error.
+	// It defaults to DefaultSecretsRefreshInterval,
+	// which is currently 15s.
+	SecretsRefreshInterval time.Duration `yaml:"secrets_refresh_interval"`
+
 	// Region defaults to "us-east-1", which also works for Minio
 	Region string `yaml:"region"`
 	Bucket string `yaml:"bucket"`
@@ -108,6 +117,9 @@ func (o Options) Check() error {
 	if !hasSecretsCreds && !hasStaticCreds {
 		return fmt.Errorf("s3 storage.options: credentials are required, fill either (access_key and secret_key) or (access_key_filename and secret_key_filename)")
 	}
+	if d := o.SecretsRefreshInterval; hasSecretsCreds && d != 0 && d < time.Second {
+		return fmt.Errorf("s3 storage.options: field refresh_secrets is required when using secret credentials")
+	}
 	if o.Bucket == "" {
 		return fmt.Errorf("s3 storage.options: bucket is required")
 	}
@@ -298,6 +310,9 @@ func New(ctx context.Context, opt Options) (*Backend, error) {
 	if opt.EndpointURL == "" {
 		opt.EndpointURL = DefaultEndpointURL
 	}
+	if opt.SecretsRefreshInterval == 0 {
+		opt.SecretsRefreshInterval = DefaultSecretsRefreshInterval
+	}
 	if err := opt.Check(); err != nil {
 		return nil, err
 	}
@@ -354,8 +369,9 @@ func New(ctx context.Context, opt Options) (*Backend, error) {
 	creds := credentials.NewStaticV4(opt.AccessKey, opt.SecretKey, "")
 	if opt.AccessKeyFile != "" {
 		creds = credentials.New(&FileSecretsCredentials{
-			AccessKeyFile: opt.AccessKeyFile,
-			SecretKeyFile: opt.SecretKeyFile,
+			AccessKeyFile:   opt.AccessKeyFile,
+			SecretKeyFile:   opt.SecretKeyFile,
+			RefreshInterval: opt.SecretsRefreshInterval,
 		})
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,9 @@ type FileSecretsCredentials struct {`
`21`	`21`	`// Path to the file containing the secret key,`
`22`	`22`	`// e.g. /etc/s3-secrets/secret-key.`
`23`	`23`	`SecretKeyFile string`
	`24`	`+`
	`25`	`+ // Time between each secrets retrieval.`
	`26`	`+ RefreshInterval time.Duration`
`24`	`27`	`}`
`25`	`28`
`26`	`29`	`// Retrieve implements credentials.Provider.`
`@@ -40,7 +43,7 @@ func (c *FileSecretsCredentials) Retrieve() (credentials.Value, error) {`
`40`	`43`	`SecretAccessKey: string(secretKey),`
`41`	`44`	`}`
`42`	`45`
`43`		`- c.SetExpiration(time.Now().Add(time.Second), -1)`
	`46`	`+ c.SetExpiration(time.Now().Add(c.RefreshInterval), -1)`
`44`	`47`
`45`	`48`	`return creds, err`
`46`	`49`	`}`