Add configurable timeout for Azure Key Vault connections #368
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add --azure-key-vault-timeout parameter (default: 30 seconds) - Return standard Windows ERROR_TIMEOUT (0x800705B5) on timeout - Prevent long waits when Key Vault URL is unreachable - Use CancellationTokenSource to enforce timeout on certificate retrieval operations Resolves issue where the program would wait several minutes when Key Vault URL cannot be reached.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds a configurable timeout parameter for Azure Key Vault connections to prevent long waits when the Key Vault URL is unreachable.
Changes
--azure-key-vault-timeoutparameter (alias:-kvto) with default of 30 secondsERROR_TIMEOUT(0x800705B5) when connection times outCancellationTokenSourceto enforce timeout on certificate retrieval operationsMotivation
Previously, the program would wait several minutes (potentially 3-5+ minutes with retries) when the Key Vault URL was unreachable, using the default Azure SDK HTTP timeout of ~100 seconds plus retry attempts. This change allows users to fail fast with a configurable timeout. When using the tool in an automated build environment, a timeout parameter (especially a short one) can be critical.
Testing
Tested with unreachable Key Vault URL to verify:
Breaking Changes
Standard behavior was a 100s timeout with 3 retries. This changes it to a 30s timeout without a retry. This seems like a much more sane default than potentially (and often) five minutes of frozen time and then failure when the server can't be contacted. In general if a server can't be contacted in 30s it's not going to be contacted in longer either.