[PLAT-16290] Fix the KMS token renew logic for 70% TTL

Summary:
This diff fixes 2 tickets:
1. [PLAT-16290] Fix the KMS token renew logic for 70% TTL .
2. [PLAT-16209] Refresh KMS token every 1 hour via YBA backend

Test Plan:
Manually tested that the logic works to renew the token after reaching 70%.
Tested with 1 min scheduler and 15 min ttl token.

Also run UTs.
Run itests.

Reviewers: vkumar

Reviewed By: vkumar

Differential Revision: https://phorge.dev.yugabyte.com/D42652

Author: Sahith02

managed/RUNTIME-FLAGS.md

@@ -93,6 +93,7 @@
 | "Shell Output Max Directory Size" | "yb.logs.shell.output_dir_max_size" | "GLOBAL" | "Output logs for shell commands are written to tmp folder.This setting defines rotation policy based on directory size." | "Bytes" |
 | "Max Size of each log message" | "yb.logs.max_msg_size" | "GLOBAL" | "We limit the length of each log line as sometimes we dump entire output of script. If you want to debug something specific and the script output isgetting truncated in application log then increase this limit" | "Bytes" |
 | "KMS Refresh Interval" | "yb.kms.refresh_interval" | "GLOBAL" | "Default refresh interval for the KMS providers." | "Duration" |
+| "Percentage of Hashicorp vault TTL to renew the token after" | "yb.kms.hcv_token_renew_percent" | "GLOBAL" | "HashiCorp Vault tokens expire when their TTL is reached. This setting renews the token after it has used the specified percentage of its original TTL. Default: 70%." | "Integer" |
 | "Start Master On Stop Node" | "yb.start_master_on_stop_node" | "GLOBAL" | "Auto-start master process on a similar available node on stopping a master node" | "Boolean" |
 | "Start Master On Remove Node" | "yb.start_master_on_remove_node" | "GLOBAL" | "Auto-start master process on a similar available node on removal of a master node" | "Boolean" |
 | "Server certificate verification for LDAPs/LDAP-TLS" | "yb.security.ldap.enforce_server_cert_verification" | "GLOBAL" | "Enforce server certificate verification for LDAPs/LDAP-TLS" | "Boolean" |

managed/src/main/java/com/yugabyte/yw/common/config/GlobalConfKeys.java

@@ -477,6 +477,15 @@ public class GlobalConfKeys extends RuntimeConfigKeysModule {
           "Allow the usage of CipherTrust KMS.",
           ConfDataType.BooleanType,
           ImmutableList.of(ConfKeyTags.INTERNAL));
+  public static final ConfKeyInfo<Integer> hcvTokenRenewPercent =
+      new ConfKeyInfo<>(
+          "yb.kms.hcv_token_renew_percent",
+          ScopeType.GLOBAL,
+          "Percentage of Hashicorp vault TTL to renew the token after",
+          "HashiCorp Vault tokens expire when their TTL is reached. This setting renews the token"
+              + " after it has used the specified percentage of its original TTL. Default: 70%.",
+          ConfDataType.IntegerType,
+          ImmutableList.of(ConfKeyTags.PUBLIC));
   // TODO() Add metadata
   public static final ConfKeyInfo<Boolean> startMasterOnStopNode =
       new ConfKeyInfo<>(

managed/src/main/java/com/yugabyte/yw/common/config/RuntimeConfigPreChangeNotifier.java

@@ -15,6 +15,7 @@
 import com.yugabyte.yw.common.PlatformServiceException;
 import com.yugabyte.yw.common.config.impl.DbAuditLoggingEnabledValidator;
 import com.yugabyte.yw.common.config.impl.EnableRollbackSupportKeyValidator;
+import com.yugabyte.yw.common.config.impl.HcvTokenRenewPercentValidator;
 import com.yugabyte.yw.common.config.impl.MetricCollectionLevelValidator;
 import com.yugabyte.yw.common.config.impl.OidcEnabledKeyValidator;
 import com.yugabyte.yw.common.config.impl.SSH2EnabledKeyValidator;
@@ -50,13 +51,15 @@ public RuntimeConfigPreChangeNotifier(
       UseNewRbacAuthzValidator useNewRbacAuthzValidator,
       EnableRollbackSupportKeyValidator enableRollbackSupportKeyValidator,
       OidcEnabledKeyValidator oidcEnabledKeyValidator,
-      DbAuditLoggingEnabledValidator dbAuditLoggingEnabledValidator) {
+      DbAuditLoggingEnabledValidator dbAuditLoggingEnabledValidator,
+      HcvTokenRenewPercentValidator hcvTokenRenewPercentValidator) {
     addListener(ssh2EnabledKeyValidator);
     addListener(metricCollectionLevelValidator);
     addListener(useNewRbacAuthzValidator);
     addListener(enableRollbackSupportKeyValidator);
     addListener(oidcEnabledKeyValidator);
     addListener(dbAuditLoggingEnabledValidator);
+    addListener(hcvTokenRenewPercentValidator);
   }
 
   public void notifyListenersDeleteConfig(UUID scopeUUID, String path) {

managed/src/main/java/com/yugabyte/yw/common/config/impl/HcvTokenRenewPercentValidator.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright 2023 YugaByte, Inc. and Contributors
+ *
+ * Licensed under the Polyform Free Trial License 1.0.0 (the "License"); you
+ * may not use this file except in compliance with the License. You
+ * may obtain a copy of the License at
+ *
+ * http://github.com/YugaByte/yugabyte-db/blob/master/licenses/POLYFORM-FREE-TRIAL-LICENSE-1.0.0.txt
+ */
+package com.yugabyte.yw.common.config.impl;
+
+import static play.mvc.Http.Status.BAD_REQUEST;
+
+import com.yugabyte.yw.common.PlatformServiceException;
+import com.yugabyte.yw.common.config.GlobalConfKeys;
+import com.yugabyte.yw.common.config.RuntimeConfigPreChangeValidator;
+import java.util.UUID;
+import javax.inject.Singleton;
+
+@Singleton
+public class HcvTokenRenewPercentValidator implements RuntimeConfigPreChangeValidator {
+  public String getKeyPath() {
+    return GlobalConfKeys.hcvTokenRenewPercent.getKey();
+  }
+
+  @Override
+  public void validateConfigGlobal(UUID scopeUUID, String path, String newValue) {
+    Integer newValueInt = Integer.parseInt(newValue);
+
+    // Check that the runtime config value is between 0 and 100.
+    if (newValueInt == null || newValueInt <= 0 || newValueInt >= 100) {
+      throw new PlatformServiceException(
+          BAD_REQUEST, "HCV token renew percent must be between 0 and 100.");
+    }
+  }
+}

managed/src/main/java/com/yugabyte/yw/common/kms/util/hashicorpvault/VaultAccessor.java

@@ -21,6 +21,8 @@
 import com.bettercloud.vault.rest.RestResponse;
 import com.yugabyte.yw.common.Util;
 import com.yugabyte.yw.common.certmgmt.castore.CustomCAStoreManager;
+import com.yugabyte.yw.common.config.GlobalConfKeys;
+import com.yugabyte.yw.common.config.RuntimeConfGetter;
 import com.yugabyte.yw.common.inject.StaticInjectorHolder;
 import com.yugabyte.yw.models.helpers.CommonUtils;
 import io.ebean.annotation.EnumValue;
@@ -43,7 +45,6 @@ public class VaultAccessor {
   public static final Logger LOG = LoggerFactory.getLogger(VaultAccessor.class);
 
   public static final long TTL_RENEWAL_BEFORE_EXPIRY_HRS = 24;
-  public static final long TTL_EXPIRY_PERCENT_FACTOR = 7; // => x*10%, i.e., if 7 then 70%.
 
   private Vault vault;
   private long tokenTTL;
@@ -271,6 +272,14 @@ public List<Object> getTokenExpiryFromVault() throws VaultException {
     return Arrays.asList(tokenTTL, tokenTtlExpiry.getTimeInMillis());
   }
 
+  public int getTokenRenewPercent() {
+    RuntimeConfGetter runtimeConfGetter =
+        StaticInjectorHolder.injector().instanceOf(RuntimeConfGetter.class);
+    Integer hcvTokenRenewPercent =
+        runtimeConfGetter.getGlobalConf().getInt(GlobalConfKeys.hcvTokenRenewPercent.getKey());
+    return hcvTokenRenewPercent;
+  }
+
   /** This is done as best effort, and no guarantees are given at this point of time. */
   public void renewSelf() {
     try {
@@ -302,12 +311,17 @@ public void renewToken(String token) {
       }
 
       long maxttl = vault.auth().lookupSelf().getCreationTTL();
-      if ((ttl * TTL_EXPIRY_PERCENT_FACTOR) < maxttl) {
+      LOG.debug("Token {} has ttl: '{}' and creation ttl: '{}'", token, ttl, maxttl);
+      float hcvTokenRenewPercent = getTokenRenewPercent();
+      if ((ttl * 100) <= maxttl * (100 - hcvTokenRenewPercent)) {
         vault.auth().renewSelf();
         LOG.info(
-            "Token {} is renewed as it has passed {}0% of its expiry window",
-            token, TTL_EXPIRY_PERCENT_FACTOR);
-      } else LOG.debug("No need to renew token {} for now", token);
+            "Token {} is renewed as it has passed {}% of its expiry window",
+            token, hcvTokenRenewPercent);
+      } else
+        LOG.debug(
+            "No need to renew token {} for now, since token renew percent is '{}'%",
+            token, hcvTokenRenewPercent);
 
     } catch (VaultException e) {
       LOG.warn("Received exception while attempting to renew");

managed/src/main/resources/reference.conf

@@ -1381,8 +1381,9 @@ yb {
   }
 
   kms {
-    refresh_interval = 12 hours
+    refresh_interval = 1 hour
     allow_ciphertrust = false
+    hcv_token_renew_percent = 70
   }
 
   api {