Auth token renewal

Makefile

@@ -1,6 +1,6 @@
 .PHONY: docker-build docker-push
 
-export DOCKER_REPO=pyrsh/tbot-vault-bridge
+export DOCKER_REPO=registry.pyr.sh/tbot-vault-bridge/tbot-vault-bridge
 export GIT_COMMIT=$(shell git rev-parse --short HEAD)
 
 docker-build:

cmd/vault-pusher/main.go

@@ -38,12 +38,17 @@ func main() {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	if err := run(ctx); err != nil {
+	tokenRenewalDoneCh := make(chan struct{})
+	err := run(ctx, tokenRenewalDoneCh)
+	log.Println("Stopping token renewal goroutine...")
+	<-tokenRenewalDoneCh
+	if err != nil {
 		panic(err)
 	}
+	log.Println("Exiting")
 }
 
-func run(ctx context.Context) error {
+func run(ctx context.Context, tokenRenewalDoneCh chan struct{}) error {
 	// connect to vault
 	config := vault.DefaultConfig()
 	transport := config.HttpClient.Transport.(*http.Transport)
@@ -67,12 +72,66 @@ func run(ctx context.Context) error {
 	}
 
 	// perform vault auth
-	authInfo, err := client.Auth().Login(ctx, appRoleAuth)
+	authInfo, err := login(ctx, client, appRoleAuth)
 	if err != nil {
-		return fmt.Errorf("failed to log in using the approle method: %w", err)
+		return err
 	}
-	if authInfo == nil {
-		return errors.New("auth method did not return valid credentials")
+
+	// And start token renewal lifecycle
+	// Reference: https://github.com/hashicorp/vault-examples/blob/main/examples/token-renewal/go/example.go
+	if authInfo.Auth.Renewable {
+		go func() {
+			defer func() { tokenRenewalDoneCh <- struct{}{} }()
+			log.Println("Starting auto renewal goroutine")
+			for {
+				select {
+				case <-ctx.Done():
+					return
+				default:
+				}
+
+				if authInfo == nil {
+					log.Println("Reattempting login")
+					authInfo, err = login(ctx, client, appRoleAuth)
+					if err != nil {
+						log.Printf("Failed to reattempt login: %v", err)
+						continue
+					}
+				}
+
+				watcher, err := client.NewLifetimeWatcher(&vault.LifetimeWatcherInput{
+					Secret:    authInfo,
+					Increment: 60 * 60 * 24,
+				})
+				if err != nil {
+					log.Printf("unable to initialize new lifetime watcher for renewing auth token: %v", err)
+					continue
+				}
+
+				go watcher.Start()
+				defer watcher.Stop()
+			renewalLoop:
+				for {
+					select {
+					case <-ctx.Done():
+						return
+					case err := <-watcher.DoneCh():
+						if err != nil {
+							log.Printf("Failed to renew token: %v", err)
+						} else {
+							log.Printf("Token can no longer be renewed")
+						}
+						authInfo = nil
+						watcher.Stop()
+						break renewalLoop
+					case renewal := <-watcher.RenewCh():
+						log.Printf("Successfully renewed: %#v", renewal)
+					}
+				}
+			}
+		}()
+	} else {
+		tokenRenewalDoneCh <- struct{}{}
 	}
 
 	mux := http.NewServeMux()
@@ -159,3 +218,14 @@ func run(ctx context.Context) error {
 	log.Println("Shutting down...")
 	return nil
 }
+
+func login(ctx context.Context, client *vault.Client, appRoleAuth *auth.AppRoleAuth) (*vault.Secret, error) {
+	authInfo, err := client.Auth().Login(ctx, appRoleAuth)
+	if err != nil {
+		return nil, fmt.Errorf("failed to log in using the approle method: %w", err)
+	}
+	if authInfo == nil {
+		return nil, errors.New("auth method did not return valid credentials")
+	}
+	return authInfo, nil
+}