mirror of
https://github.com/kemko/nomad.git
synced 2026-01-01 16:05:42 +03:00
7054fe1a8c
Previously, a Vault token could renewed either periodically via the renewal loop or immediately by calling `RenewToken()`. But a race condition in the renewal loop could cause an attempt to renew an expired token. If both `updateCh` and `renewalCh` are active (such as when a task stops at the same time its token is waiting for renewal), the following `select` picks a `case` at random.78f0c6b2a9/client/vaultclient/vaultclient.go (L557-L564)If `case <-renewalCh` is picked, the token is incorrectly re-added to the heap, causing unnecessary renewals of a token that is already expired.1604dba508/client/vaultclient/vaultclient.go (L505-L510)To prevent this situation, the `renew()` function should only renew tokens that are currently in the heap, so `RenewToken()` must first push the token to the heap and wait for the renewal to happen instead of calling `renew()` directly since this could cause another race condition where the token is renewed twice: once by `RenewToken()` calling `renew()` directly and a second time if the renewal happens to pick the token as soon as `RenewToken()` adds it to the heap.