[v18] Fix case where renewed X509 SVIDs would not be sent via SDS (#62830)

strideynet · web-flow · commit c943922c8775 · 2026-01-15T10:29:46.000Z
* Fix case where renewed X509 SVIDs would not be sent via SDS

* Add comment
diff --git a/lib/tbot/internal/sds/handler.go b/lib/tbot/internal/sds/handler.go
@@ -338,6 +338,8 @@ func (h *Handler) StreamSecrets(
 		case <-renewalTimer.C:
 			// Handle renewal time!
 			log.DebugContext(ctx, "Renewing SVIDs for StreamSecrets stream")
+			// Set svids to nil to fetching of fresh SVIDs
+			svids = nil
 		}
 
 		// Fetch the SVIDs if necessary
diff --git a/lib/tbot/services/workloadidentity/workload_api.go b/lib/tbot/services/workloadidentity/workload_api.go
@@ -198,8 +198,10 @@ func (s *WorkloadAPIService) Run(ctx context.Context) error {
 	)
 	workloadpb.RegisterSpiffeWorkloadAPIServer(srv, s)
 	sdsHandler, err := sds.NewHandler(sds.HandlerConfig{
-		Logger:           s.log,
-		RenewalInterval:  s.defaultCredentialLifetime.RenewalInterval,
+		Logger: s.log,
+		RenewalInterval: cmp.Or(
+			s.cfg.CredentialLifetime, s.defaultCredentialLifetime,
+		).RenewalInterval,
 		TrustBundleCache: s.trustBundleCache,
 		ClientAuthenticator: func(ctx context.Context) (*slog.Logger, sds.SVIDFetcher, error) {
 			log, attrs, err := s.authenticateClient(ctx)

Original file line number	Diff line number	Diff line change
`@@ -338,6 +338,8 @@ func (h *Handler) StreamSecrets(`
`338`	`338`	`case <-renewalTimer.C:`
`339`	`339`	`// Handle renewal time!`
`340`	`340`	`log.DebugContext(ctx, "Renewing SVIDs for StreamSecrets stream")`
	`341`	`+ // Set svids to nil to fetching of fresh SVIDs`
	`342`	`+ svids = nil`
`341`	`343`	`}`
`342`	`344`
`343`	`345`	`// Fetch the SVIDs if necessary`