agent: add disable_idle_connections configurable (#15986)

* agent: add disable_keep_alives configurable * Add empty test * Add website doc * Change to disable_idle_connections * Update tests and doc * Add note about env * Changelog * Change to slice * Remove unused disable keep alive methods * Add invalid value test
hashicorp · Jun 21, 2022 · 4fcb21d · 4fcb21d
1 parent 40cc442
commit 4fcb21d
Show file tree

Hide file tree

Showing 13 changed files with 565 additions and 12 deletions.
diff --git a/api/client.go b/api/client.go
@@ -720,6 +720,24 @@ func (c *Client) SetMaxRetries(retries int) {
 	c.config.MaxRetries = retries
 }
 
+func (c *Client) SetMaxIdleConnections(idle int) {
+	c.modifyLock.RLock()
+	defer c.modifyLock.RUnlock()
+	c.config.modifyLock.Lock()
+	defer c.config.modifyLock.Unlock()
+
+	c.config.HttpClient.Transport.(*http.Transport).MaxIdleConns = idle
+}
+
+func (c *Client) MaxIdleConnections() int {
+	c.modifyLock.RLock()
+	defer c.modifyLock.RUnlock()
+	c.config.modifyLock.Lock()
+	defer c.config.modifyLock.Unlock()
+
+	return c.config.HttpClient.Transport.(*http.Transport).MaxIdleConns
+}
+
 func (c *Client) MaxRetries() int {
 	c.modifyLock.RLock()
 	defer c.modifyLock.RUnlock()

diff --git a/changelog/15986.txt b/changelog/15986.txt
@@ -0,0 +1,2 @@
+```release-note:improvement
+agent: Added `disable_idle_connections` configuration to disable leaving idle connections open in auto-auth, caching and templating.
diff --git a/command/agent.go b/command/agent.go
@@ -368,13 +368,24 @@ func (c *AgentCommand) Run(args []string) int {
 			client.SetNamespace(config.AutoAuth.Method.Namespace)
 		}
 		templateNamespace = client.Headers().Get(consts.NamespaceHeaderName)
+
+		sinkClient, err := client.CloneWithHeaders()
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error cloning client for file sink: %v", err))
+			return 1
+		}
+
+		if config.DisableIdleConnsAutoAuth {
+			sinkClient.SetMaxIdleConnections(-1)
+		}
+
 		for _, sc := range config.AutoAuth.Sinks {
 			switch sc.Type {
 			case "file":
 				config := &sink.SinkConfig{
 					Logger:    c.logger.Named("sink.file"),
 					Config:    sc.Config,
-					Client:    client,
+					Client:    sinkClient,
 					WrapTTL:   sc.WrapTTL,
 					DHType:    sc.DHType,
 					DeriveKey: sc.DeriveKey,
@@ -490,9 +501,19 @@ func (c *AgentCommand) Run(args []string) int {
 	if config.Cache != nil {
 		cacheLogger := c.logger.Named("cache")
 
+		proxyClient, err := client.CloneWithHeaders()
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error cloning client for caching: %v", err))
+			return 1
+		}
+
+		if config.DisableIdleConnsAutoAuth {
+			proxyClient.SetMaxIdleConnections(-1)
+		}
+
 		// Create the API proxier
 		apiProxy, err := cache.NewAPIProxy(&cache.APIProxyConfig{
-			Client:                 client,
+			Client:                 proxyClient,
 			Logger:                 cacheLogger.Named("apiproxy"),
 			EnforceConsistency:     enforceConsistency,
 			WhenInconsistentAction: whenInconsistent,
@@ -505,7 +526,7 @@ func (c *AgentCommand) Run(args []string) int {
 		// Create the lease cache proxier and set its underlying proxier to
 		// the API proxier.
 		leaseCache, err = cache.NewLeaseCache(&cache.LeaseCacheConfig{
-			Client:      client,
+			Client:      proxyClient,
 			BaseContext: ctx,
 			Proxier:     apiProxy,
 			Logger:      cacheLogger.Named("leasecache"),
@@ -793,14 +814,19 @@ func (c *AgentCommand) Run(args []string) int {
 
 		// Auth Handler is going to set its own retry values, so we want to
 		// work on a copy of the client to not affect other subsystems.
-		clonedClient, err := c.client.CloneWithHeaders()
+		ahClient, err := c.client.CloneWithHeaders()
 		if err != nil {
 			c.UI.Error(fmt.Sprintf("Error cloning client for auth handler: %v", err))
 			return 1
 		}
+
+		if config.DisableIdleConnsAutoAuth {
+			ahClient.SetMaxIdleConnections(-1)
+		}
+
 		ah := auth.NewAuthHandler(&auth.AuthHandlerConfig{
 			Logger:                       c.logger.Named("auth.handler"),
-			Client:                       clonedClient,
+			Client:                       ahClient,
 			WrapTTL:                      config.AutoAuth.Method.WrapTTL,
 			MinBackoff:                   config.AutoAuth.Method.MinBackoff,
 			MaxBackoff:                   config.AutoAuth.Method.MaxBackoff,
@@ -811,7 +837,7 @@ func (c *AgentCommand) Run(args []string) int {
 
 		ss := sink.NewSinkServer(&sink.SinkServerConfig{
 			Logger:        c.logger.Named("sink.server"),
-			Client:        client,
+			Client:        ahClient,
 			ExitAfterAuth: exitAfterAuth,
 		})
 

diff --git a/command/agent/config/config.go b/command/agent/config/config.go
@@ -24,14 +24,20 @@ import (
 type Config struct {
 	*configutil.SharedConfig `hcl:"-"`
 
-	AutoAuth       *AutoAuth                  `hcl:"auto_auth"`
-	ExitAfterAuth  bool                       `hcl:"exit_after_auth"`
-	Cache          *Cache                     `hcl:"cache"`
-	Vault          *Vault                     `hcl:"vault"`
-	TemplateConfig *TemplateConfig            `hcl:"template_config"`
-	Templates      []*ctconfig.TemplateConfig `hcl:"templates"`
+	AutoAuth                   *AutoAuth                  `hcl:"auto_auth"`
+	ExitAfterAuth              bool                       `hcl:"exit_after_auth"`
+	Cache                      *Cache                     `hcl:"cache"`
+	Vault                      *Vault                     `hcl:"vault"`
+	TemplateConfig             *TemplateConfig            `hcl:"template_config"`
+	Templates                  []*ctconfig.TemplateConfig `hcl:"templates"`
+	DisableIdleConns           []string                   `hcl:"disable_idle_connections"`
+	DisableIdleConnsCaching    bool                       `hcl:"-"`
+	DisableIdleConnsTemplating bool                       `hcl:"-"`
+	DisableIdleConnsAutoAuth   bool                       `hcl:"-"`
 }
 
+const DisableIdleConnsEnv = "VAULT_AGENT_DISABLE_IDLE_CONNECTIONS"
+
 func (c *Config) Prune() {
 	for _, l := range c.Listeners {
 		l.RawConfig = nil
@@ -260,6 +266,28 @@ func LoadConfig(path string) (*Config, error) {
 		result.Vault.Retry.NumRetries = 0
 	}
 
+	if disableIdleConnsEnv := os.Getenv(DisableIdleConnsEnv); disableIdleConnsEnv != "" {
+		result.DisableIdleConns, err = parseutil.ParseCommaStringSlice(strings.ToLower(disableIdleConnsEnv))
+		if err != nil {
+			return nil, fmt.Errorf("error parsing environment variable %s: %v", DisableIdleConnsEnv, err)
+		}
+	}
+
+	for _, subsystem := range result.DisableIdleConns {
+		switch subsystem {
+		case "auto-auth":
+			result.DisableIdleConnsAutoAuth = true
+		case "caching":
+			result.DisableIdleConnsCaching = true
+		case "templating":
+			result.DisableIdleConnsTemplating = true
+		case "":
+			continue
+		default:
+			return nil, fmt.Errorf("unknown disable_idle_connections value: %s", subsystem)
+		}
+	}
+
 	return result, nil
 }