Background
After secrets are rotated and OpenBao Agent renders new values to agent.toml, bootroot-agent may attempt ACME renewal with stale in-memory config. If the first attempt fails (e.g., due to a timing gap between KV write and template render), the retry logic currently reuses the same config loaded at startup. Re-reading the config before each retry ensures bootroot-agent picks up the freshly rendered values.
Current state
-
Config loaded once at startup (src/bin/bootroot-agent.rs:81):
let mut settings = config::Settings::new(args.config.clone())?;
wrapped in Arc<Settings>.
-
issue_with_retry (src/daemon.rs:256-268):
Captures settings/profile/eab in closure, calls issue_with_retry_inner() with the same values for every attempt.
-
select_retry_backoff (src/daemon.rs:270-280):
Returns profile-level backoff if set, otherwise global.
-
Default backoff (src/config/defaults.rs:20):
DEFAULT_RETRY_BACKOFF_SECS: [u64; 3] = [5, 10, 30] — total retry window is 45 seconds.
Changes
-
Modify issue_with_retry to re-read config from disk before each retry attempt:
// On retry, reload config to pick up any values rendered by OpenBao Agent
let fresh_settings = config::Settings::new(config_path)?;
let fresh_eab = resolve_eab(&fresh_settings, &fresh_profile);
acme::issue_certificate(&fresh_settings, &fresh_profile, fresh_eab)
-
Review backoff defaults — with OpenBao Agent's static_secret_render_interval = "30s", the current total retry window (45s) may be too tight. Consider extending to [5, 10, 30, 60] (total 105s) to allow at least one full polling cycle before exhausting retries.
File references
src/daemon.rs:256-268 — retry logicsrc/config/defaults.rs:20 — backoff defaultssrc/bin/bootroot-agent.rs:81 — initial config load
Background
After secrets are rotated and OpenBao Agent renders new values to
agent.toml,bootroot-agentmay attempt ACME renewal with stale in-memory config. If the first attempt fails (e.g., due to a timing gap between KV write and template render), the retry logic currently reuses the same config loaded at startup. Re-reading the config before each retry ensuresbootroot-agentpicks up the freshly rendered values.Current state
Config loaded once at startup (
src/bin/bootroot-agent.rs:81):let mut settings = config::Settings::new(args.config.clone())?;wrapped in
Arc<Settings>.issue_with_retry(src/daemon.rs:256-268):Captures
settings/profile/eabin closure, callsissue_with_retry_inner()with the same values for every attempt.select_retry_backoff(src/daemon.rs:270-280):Returns profile-level backoff if set, otherwise global.
Default backoff (
src/config/defaults.rs:20):DEFAULT_RETRY_BACKOFF_SECS: [u64; 3] = [5, 10, 30]— total retry window is 45 seconds.Changes
Modify
issue_with_retryto re-read config from disk before each retry attempt:Review backoff defaults — with OpenBao Agent's
static_secret_render_interval = "30s", the current total retry window (45s) may be too tight. Consider extending to[5, 10, 30, 60](total 105s) to allow at least one full polling cycle before exhausting retries.File references
src/daemon.rs:256-268— retry logicsrc/config/defaults.rs:20— backoff defaultssrc/bin/bootroot-agent.rs:81— initial config load