diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go index 16ca5e7c..8b9efa5d 100644 --- a/agent-inject/agent/agent.go +++ b/agent-inject/agent/agent.go @@ -167,6 +167,9 @@ type Agent struct { // DisableIdleConnections controls which Agent features have idle // connections disabled DisableIdleConnections []string + + // DisableKeepAlives controls which Agent features have keep-alives disables. + DisableKeepAlives []string } type ServiceAccountTokenVolume struct { @@ -471,6 +474,10 @@ func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*Agent, erro agent.DisableIdleConnections = strings.Split(pod.Annotations[AnnotationAgentDisableIdleConnections], ",") } + if pod.Annotations[AnnotationAgentDisableKeepAlives] != "" { + agent.DisableKeepAlives = strings.Split(pod.Annotations[AnnotationAgentDisableKeepAlives], ",") + } + return agent, nil } diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go index a089c6bd..6265ad5d 100644 --- a/agent-inject/agent/annotations.go +++ b/agent-inject/agent/annotations.go @@ -276,6 +276,11 @@ const ( // features in Vault Agent. Comma-separated string, with valid values auto-auth, caching, // templating. AnnotationAgentDisableIdleConnections = "vault.hashicorp.com/agent-disable-idle-connections" + + // AnnotationAgentDisableKeepAlives specifies disabling keep-alives for various + // features in Vault Agent. Comma-separated string, with valid values auto-auth, caching, + // templating. + AnnotationAgentDisableKeepAlives = "vault.hashicorp.com/agent-disable-keep-alives" ) type AgentConfig struct { @@ -301,6 +306,7 @@ type AgentConfig struct { AuthMinBackoff string AuthMaxBackoff string DisableIdleConnections string + DisableKeepAlives string } // Init configures the expected annotations required to create a new instance @@ -501,6 +507,10 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error { pod.ObjectMeta.Annotations[AnnotationAgentDisableIdleConnections] = cfg.DisableIdleConnections } + if _, ok := pod.ObjectMeta.Annotations[AnnotationAgentDisableKeepAlives]; !ok { + pod.ObjectMeta.Annotations[AnnotationAgentDisableKeepAlives] = cfg.DisableKeepAlives + } + return nil } diff --git a/agent-inject/agent/annotations_test.go b/agent-inject/agent/annotations_test.go index d969efd5..154c7bb7 100644 --- a/agent-inject/agent/annotations_test.go +++ b/agent-inject/agent/annotations_test.go @@ -1189,3 +1189,39 @@ func TestDisableIdleConnections(t *testing.T) { }) } } + +func TestDisableKeepAlives(t *testing.T) { + tests := map[string]struct { + annotations map[string]string + expectedValue []string + }{ + "full list": { + annotations: map[string]string{ + "vault.hashicorp.com/agent-disable-keep-alives": "auto-auth,caching,templating", + }, + expectedValue: []string{"auto-auth", "caching", "templating"}, + }, + "one": { + annotations: map[string]string{ + "vault.hashicorp.com/agent-disable-keep-alives": "auto-auth", + }, + expectedValue: []string{"auto-auth"}, + }, + "none": { + annotations: map[string]string{}, + expectedValue: nil, + }, + } + for name, tc := range tests { + t.Run(name, func(t *testing.T) { + pod := testPod(tc.annotations) + agentConfig := basicAgentConfig() + err := Init(pod, agentConfig) + require.NoError(t, err) + agent, err := New(pod, nil) + require.NoError(t, err) + + assert.Equal(t, tc.expectedValue, agent.DisableKeepAlives) + }) + } +} diff --git a/agent-inject/agent/config.go b/agent-inject/agent/config.go index 630f12c6..ac4ce0a3 100644 --- a/agent-inject/agent/config.go +++ b/agent-inject/agent/config.go @@ -28,6 +28,7 @@ type Config struct { Cache *Cache `json:"cache,omitempty"` TemplateConfig *TemplateConfig `json:"template_config,omitempty"` DisableIdleConnections []string `json:"disable_idle_connections,omitempty"` + DisableKeepAlives []string `json:"disable_keep_alives,omitempty"` } // Vault contains configuration for connecting to Vault servers @@ -192,6 +193,7 @@ func (a *Agent) newConfig(init bool) ([]byte, error) { StaticSecretRenderInterval: a.VaultAgentTemplateConfig.StaticSecretRenderInterval, }, DisableIdleConnections: a.DisableIdleConnections, + DisableKeepAlives: a.DisableKeepAlives, } if a.InjectToken { diff --git a/agent-inject/handler.go b/agent-inject/handler.go index 03aeeb94..00e7b494 100644 --- a/agent-inject/handler.go +++ b/agent-inject/handler.go @@ -69,6 +69,7 @@ type Handler struct { AuthMinBackoff string AuthMaxBackoff string DisableIdleConnections string + DisableKeepAlives string } // Handle is the http.HandlerFunc implementation that actually handles the @@ -204,6 +205,7 @@ func (h *Handler) Mutate(req *admissionv1.AdmissionRequest) *admissionv1.Admissi AuthMinBackoff: h.AuthMinBackoff, AuthMaxBackoff: h.AuthMaxBackoff, DisableIdleConnections: h.DisableIdleConnections, + DisableKeepAlives: h.DisableKeepAlives, } err = agent.Init(&pod, cfg) if err != nil { diff --git a/subcommand/injector/command.go b/subcommand/injector/command.go index bdd7577c..6843ccfc 100644 --- a/subcommand/injector/command.go +++ b/subcommand/injector/command.go @@ -72,6 +72,7 @@ type Command struct { flagAuthMinBackoff string // Auth min backoff on failure flagAuthMaxBackoff string // Auth min backoff on failure flagDisableIdleConnections string // Idle connections control + flagDisableKeepAlives string // Keep-alives control flagSet *flag.FlagSet @@ -209,6 +210,7 @@ func (c *Command) Run(args []string) int { AuthMinBackoff: c.flagAuthMinBackoff, AuthMaxBackoff: c.flagAuthMaxBackoff, DisableIdleConnections: c.flagDisableIdleConnections, + DisableKeepAlives: c.flagDisableKeepAlives, } mux := http.NewServeMux() diff --git a/subcommand/injector/flags.go b/subcommand/injector/flags.go index 9f7b11b7..f2cf2905 100644 --- a/subcommand/injector/flags.go +++ b/subcommand/injector/flags.go @@ -122,6 +122,9 @@ type Specification struct { // DisableIdleConnections is the AGENT_INJECT_DISABLE_IDLE_CONNECTIONS environment variable DisableIdleConnections string `split_words:"true"` + + // DisableKeepAlives is the AGENT_INJECT_DISABLE_KEEP_ALIVES environment variable + DisableKeepAlives string `split_words:"true"` } func (c *Command) init() { @@ -188,6 +191,8 @@ func (c *Command) init() { "Sets the maximum backoff on auto-auth failure. Default is 5m") c.flagSet.StringVar(&c.flagDisableIdleConnections, "disable-idle-connections", "", "Comma-separated list of Vault features where idle connections should be disabled.") + c.flagSet.StringVar(&c.flagDisableKeepAlives, "disable-keep-alives", "", + "Comma-separated list of Vault features where keep-alives should be disabled.") tlsVersions := []string{} for v := range tlsutil.TLSLookup { @@ -389,5 +394,9 @@ func (c *Command) parseEnvs() error { c.flagDisableIdleConnections = envs.DisableIdleConnections } + if envs.DisableKeepAlives != "" { + c.flagDisableKeepAlives = envs.DisableKeepAlives + } + return nil } diff --git a/subcommand/injector/flags_test.go b/subcommand/injector/flags_test.go index 60711965..b75f51f4 100644 --- a/subcommand/injector/flags_test.go +++ b/subcommand/injector/flags_test.go @@ -137,6 +137,7 @@ func TestCommandEnvs(t *testing.T) { {env: "AGENT_INJECT_AUTH_MIN_BACKOFF", value: "5s", cmdPtr: &cmd.flagAuthMinBackoff}, {env: "AGENT_INJECT_AUTH_MAX_BACKOFF", value: "5s", cmdPtr: &cmd.flagAuthMaxBackoff}, {env: "AGENT_INJECT_DISABLE_IDLE_CONNECTIONS", value: "auto-auth,caching,templating", cmdPtr: &cmd.flagDisableIdleConnections}, + {env: "AGENT_INJECT_DISABLE_KEEP_ALIVES", value: "auto-auth,caching,templating", cmdPtr: &cmd.flagDisableKeepAlives}, } for _, tt := range tests {