vault: Add timeout option

The existing logic assumes that requests may raise timeout exception but timeout exception is never raised unless timeout is explicitly set in each request method calls. This introduces the timeout option and use it in request method calls so that timeout is actually set and handled by the logics. Also the keystoneauth session options loaded in the vault driver is not actually used. This change also removes it. Change-Id: I8c354937c2c39a63f50c150b3e858826b6a78fe0
2024-03-13 11:39:00 +09:00 · 2024-03-13 11:39:00 +09:00 · 2af34f28f8
commit 2af34f28f8
parent d578cbcce9
2 changed files with 13 additions and 5 deletions
--- a/castellan/key_manager/vault_key_manager.py
+++ b/castellan/key_manager/vault_key_manager.py
@ -26,7 +26,6 @@ import os
 import time
 import uuid

-from keystoneauth1 import loading
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import timeutils
@ -74,6 +73,9 @@ _vault_opts = [
               help=_("Vault Namespace to use for all requests to Vault. "
                      "Vault Namespaces feature is available only in "
                      "Vault Enterprise")),
+    cfg.FloatOpt('timeout',
+                 default=60,
+                 help=_('Timeout (in seconds) in each request to Vault')),
 ]

 _VAULT_OPT_GROUP = 'vault'
@ -95,7 +97,6 @@ class VaultKeyManager(key_manager.KeyManager):
    def __init__(self, configuration):
        self._conf = configuration
        self._conf.register_opts(_vault_opts, group=_VAULT_OPT_GROUP)
-        loading.register_session_conf_options(self._conf, _VAULT_OPT_GROUP)
        self._session = requests.Session()
        self._root_token_id = self._conf.vault.root_token_id
        self._approle_role_id = self._conf.vault.approle_role_id
@ -108,6 +109,7 @@ class VaultKeyManager(key_manager.KeyManager):
        self._kv_version = self._conf.vault.kv_version
        self._vault_url = self._conf.vault.vault_url
        self._namespace = self._conf.vault.namespace
+        self._timeout = self._conf.vault.timeout
        if self._vault_url.startswith("https://"):
            self._verify_server = self._conf.vault.ssl_ca_crt_file or True
        else:
@ -166,7 +168,8 @@ class VaultKeyManager(key_manager.KeyManager):
                resp = self._session.post(url=approle_login_url,
                                          json=params,
                                          headers=headers,
-                                          verify=self._verify_server)
+                                          verify=self._verify_server,
+                                          timeout=self._timeout)
            except requests.exceptions.Timeout as ex:
                raise exception.KeyManagerError(str(ex))
            except requests.exceptions.ConnectionError as ex:
@ -193,11 +196,11 @@ class VaultKeyManager(key_manager.KeyManager):
        return {}

    def _do_http_request(self, method, resource, json=None):
-        verify = self._verify_server
        headers = self._build_auth_headers()

        try:
-            resp = method(resource, headers=headers, json=json, verify=verify)
+            resp = method(resource, headers=headers, json=json,
+                          verify=self._verfy_server, timeout=self._timeout)
        except requests.exceptions.Timeout as ex:
            raise exception.KeyManagerError(str(ex))
        except requests.exceptions.ConnectionError as ex:
--- a/releasenotes/notes/vault-timeout-5eebb432e0943f74.yaml
+++ b/releasenotes/notes/vault-timeout-5eebb432e0943f74.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The new ``[vault] timeout`` option has been added. This determines timeout
+    in each HTTP request to Vault server. It defaults to 60 seconds.