From 3e9a6b687deb485083ecb0197069bf3b4e64dcf2 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Tue, 14 Jun 2022 17:04:36 -0400
Subject: [PATCH 01/10] agent: add disable_keep_alives configurable
---
api/client.go | 18 ++
command/agent.go | 32 ++-
command/agent/config/config.go | 30 ++-
command/agent/config/config_test.go | 196 ++++++++++++++++++
.../config-disable-keep-alives-all.hcl | 27 +++
.../config-disable-keep-alives-auto-auth.hcl | 27 +++
.../config-disable-keep-alives-caching.hcl | 27 +++
.../config-disable-keep-alives-empty.hcl | 27 +++
.../config-disable-keep-alives-templating.hcl | 27 +++
command/agent/template/template.go | 3 +
10 files changed, 402 insertions(+), 12 deletions(-)
create mode 100644 command/agent/config/test-fixtures/config-disable-keep-alives-all.hcl
create mode 100644 command/agent/config/test-fixtures/config-disable-keep-alives-auto-auth.hcl
create mode 100644 command/agent/config/test-fixtures/config-disable-keep-alives-caching.hcl
create mode 100644 command/agent/config/test-fixtures/config-disable-keep-alives-empty.hcl
create mode 100644 command/agent/config/test-fixtures/config-disable-keep-alives-templating.hcl
diff --git a/api/client.go b/api/client.go
index b5f7e9bb82656..8666925756311 100644
--- a/api/client.go
+++ b/api/client.go
@@ -720,6 +720,24 @@ func (c *Client) SetMaxRetries(retries int) {
c.config.MaxRetries = retries
}
+func (c *Client) SetDisableKeepAlives(disable bool) {
+ c.modifyLock.RLock()
+ defer c.modifyLock.RUnlock()
+ c.config.modifyLock.Lock()
+ defer c.config.modifyLock.Unlock()
+
+ c.config.HttpClient.Transport.(*http.Transport).DisableKeepAlives = disable
+}
+
+func (c *Client) DisableKeepAlives() bool {
+ c.modifyLock.RLock()
+ defer c.modifyLock.RUnlock()
+ c.config.modifyLock.Lock()
+ defer c.config.modifyLock.Unlock()
+
+ return c.config.HttpClient.Transport.(*http.Transport).DisableKeepAlives
+}
+
func (c *Client) MaxRetries() int {
c.modifyLock.RLock()
defer c.modifyLock.RUnlock()
diff --git a/command/agent.go b/command/agent.go
index 883944da756c3..5d1a6cd4e52ef 100644
--- a/command/agent.go
+++ b/command/agent.go
@@ -368,13 +368,22 @@ func (c *AgentCommand) Run(args []string) int {
client.SetNamespace(config.AutoAuth.Method.Namespace)
}
templateNamespace = client.Headers().Get(consts.NamespaceHeaderName)
+
+ sinkClient, err := client.CloneWithHeaders()
+ if err != nil {
+ c.UI.Error(fmt.Sprintf("Error cloning client for file sink: %v", err))
+ return 1
+ }
+
+ sinkClient.SetDisableKeepAlives(config.DisableKeepAlivesAutoAuth)
+
for _, sc := range config.AutoAuth.Sinks {
switch sc.Type {
case "file":
config := &sink.SinkConfig{
Logger: c.logger.Named("sink.file"),
Config: sc.Config,
- Client: client,
+ Client: sinkClient,
WrapTTL: sc.WrapTTL,
DHType: sc.DHType,
DeriveKey: sc.DeriveKey,
@@ -490,9 +499,17 @@ func (c *AgentCommand) Run(args []string) int {
if config.Cache != nil {
cacheLogger := c.logger.Named("cache")
+ proxyClient, err := client.CloneWithHeaders()
+ if err != nil {
+ c.UI.Error(fmt.Sprintf("Error cloning client for caching: %v", err))
+ return 1
+ }
+
+ proxyClient.SetDisableKeepAlives(config.DisableKeepAlivesCaching)
+
// Create the API proxier
apiProxy, err := cache.NewAPIProxy(&cache.APIProxyConfig{
- Client: client,
+ Client: proxyClient,
Logger: cacheLogger.Named("apiproxy"),
EnforceConsistency: enforceConsistency,
WhenInconsistentAction: whenInconsistent,
@@ -505,7 +522,7 @@ func (c *AgentCommand) Run(args []string) int {
// Create the lease cache proxier and set its underlying proxier to
// the API proxier.
leaseCache, err = cache.NewLeaseCache(&cache.LeaseCacheConfig{
- Client: client,
+ Client: proxyClient,
BaseContext: ctx,
Proxier: apiProxy,
Logger: cacheLogger.Named("leasecache"),
@@ -793,14 +810,17 @@ func (c *AgentCommand) Run(args []string) int {
// Auth Handler is going to set its own retry values, so we want to
// work on a copy of the client to not affect other subsystems.
- clonedClient, err := c.client.CloneWithHeaders()
+ ahClient, err := c.client.CloneWithHeaders()
if err != nil {
c.UI.Error(fmt.Sprintf("Error cloning client for auth handler: %v", err))
return 1
}
+
+ ahClient.SetDisableKeepAlives(config.DisableKeepAlivesAutoAuth)
+
ah := auth.NewAuthHandler(&auth.AuthHandlerConfig{
Logger: c.logger.Named("auth.handler"),
- Client: clonedClient,
+ Client: ahClient,
WrapTTL: config.AutoAuth.Method.WrapTTL,
MinBackoff: config.AutoAuth.Method.MinBackoff,
MaxBackoff: config.AutoAuth.Method.MaxBackoff,
@@ -811,7 +831,7 @@ func (c *AgentCommand) Run(args []string) int {
ss := sink.NewSinkServer(&sink.SinkServerConfig{
Logger: c.logger.Named("sink.server"),
- Client: client,
+ Client: ahClient,
ExitAfterAuth: exitAfterAuth,
})
diff --git a/command/agent/config/config.go b/command/agent/config/config.go
index e68af26f644fc..d5ea4b4e29217 100644
--- a/command/agent/config/config.go
+++ b/command/agent/config/config.go
@@ -24,12 +24,16 @@ import (
type Config struct {
*configutil.SharedConfig `hcl:"-"`
- AutoAuth *AutoAuth `hcl:"auto_auth"`
- ExitAfterAuth bool `hcl:"exit_after_auth"`
- Cache *Cache `hcl:"cache"`
- Vault *Vault `hcl:"vault"`
- TemplateConfig *TemplateConfig `hcl:"template_config"`
- Templates []*ctconfig.TemplateConfig `hcl:"templates"`
+ AutoAuth *AutoAuth `hcl:"auto_auth"`
+ ExitAfterAuth bool `hcl:"exit_after_auth"`
+ Cache *Cache `hcl:"cache"`
+ Vault *Vault `hcl:"vault"`
+ TemplateConfig *TemplateConfig `hcl:"template_config"`
+ Templates []*ctconfig.TemplateConfig `hcl:"templates"`
+ DisableKeepAlives string `hcl:"disable_keep_alives"`
+ DisableKeepAlivesCaching bool
+ DisableKeepAlivesTemplating bool
+ DisableKeepAlivesAutoAuth bool
}
func (c *Config) Prune() {
@@ -260,6 +264,20 @@ func LoadConfig(path string) (*Config, error) {
result.Vault.Retry.NumRetries = 0
}
+ if result.DisableKeepAlives != "" {
+ if strings.Contains(strings.ToLower(result.DisableKeepAlives), "caching") {
+ result.DisableKeepAlivesCaching = true
+ }
+
+ if strings.Contains(strings.ToLower(result.DisableKeepAlives), "auto-auth") {
+ result.DisableKeepAlivesAutoAuth = true
+ }
+
+ if strings.Contains(strings.ToLower(result.DisableKeepAlives), "templating") {
+ result.DisableKeepAlivesTemplating = true
+ }
+ }
+
return result, nil
}
diff --git a/command/agent/config/config_test.go b/command/agent/config/config_test.go
index 1a1aec2a14d1c..4efa3f90d97ce 100644
--- a/command/agent/config/config_test.go
+++ b/command/agent/config/config_test.go
@@ -1033,3 +1033,199 @@ func TestLoadConfigFile_EnforceConsistency(t *testing.T) {
t.Fatal(diff)
}
}
+
+func TestLoadConfigFile_Disable_Keep_Alives_All(t *testing.T) {
+ config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-all.hcl")
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ expected := &Config{
+ SharedConfig: &configutil.SharedConfig{
+ PidFile: "./pidfile",
+ },
+ DisableKeepAlives: "auto-auth,templating,caching",
+ DisableKeepAlivesCaching: true,
+ DisableKeepAlivesAutoAuth: true,
+ DisableKeepAlivesTemplating: true,
+ AutoAuth: &AutoAuth{
+ Method: &Method{
+ Type: "aws",
+ MountPath: "auth/aws",
+ Namespace: "my-namespace/",
+ Config: map[string]interface{}{
+ "role": "foobar",
+ },
+ },
+ Sinks: []*Sink{
+ {
+ Type: "file",
+ DHType: "curve25519",
+ DHPath: "/tmp/file-foo-dhpath",
+ AAD: "foobar",
+ Config: map[string]interface{}{
+ "path": "/tmp/file-foo",
+ },
+ },
+ },
+ },
+ Vault: &Vault{
+ Address: "http://127.0.0.1:1111",
+ Retry: &Retry{
+ ctconfig.DefaultRetryAttempts,
+ },
+ },
+ }
+
+ config.Prune()
+ if diff := deep.Equal(config, expected); diff != nil {
+ t.Fatal(diff)
+ }
+}
+
+func TestLoadConfigFile_Disable_Keep_Alives_Auto_Auth(t *testing.T) {
+ config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-auto-auth.hcl")
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ expected := &Config{
+ SharedConfig: &configutil.SharedConfig{
+ PidFile: "./pidfile",
+ },
+ DisableKeepAlives: "auto-auth",
+ DisableKeepAlivesCaching: false,
+ DisableKeepAlivesAutoAuth: true,
+ DisableKeepAlivesTemplating: false,
+ AutoAuth: &AutoAuth{
+ Method: &Method{
+ Type: "aws",
+ MountPath: "auth/aws",
+ Namespace: "my-namespace/",
+ Config: map[string]interface{}{
+ "role": "foobar",
+ },
+ },
+ Sinks: []*Sink{
+ {
+ Type: "file",
+ DHType: "curve25519",
+ DHPath: "/tmp/file-foo-dhpath",
+ AAD: "foobar",
+ Config: map[string]interface{}{
+ "path": "/tmp/file-foo",
+ },
+ },
+ },
+ },
+ Vault: &Vault{
+ Address: "http://127.0.0.1:1111",
+ Retry: &Retry{
+ ctconfig.DefaultRetryAttempts,
+ },
+ },
+ }
+
+ config.Prune()
+ if diff := deep.Equal(config, expected); diff != nil {
+ t.Fatal(diff)
+ }
+}
+
+func TestLoadConfigFile_Disable_Keep_Alives_Templating(t *testing.T) {
+ config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-templating.hcl")
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ expected := &Config{
+ SharedConfig: &configutil.SharedConfig{
+ PidFile: "./pidfile",
+ },
+ DisableKeepAlives: "templating",
+ DisableKeepAlivesCaching: false,
+ DisableKeepAlivesAutoAuth: false,
+ DisableKeepAlivesTemplating: true,
+ AutoAuth: &AutoAuth{
+ Method: &Method{
+ Type: "aws",
+ MountPath: "auth/aws",
+ Namespace: "my-namespace/",
+ Config: map[string]interface{}{
+ "role": "foobar",
+ },
+ },
+ Sinks: []*Sink{
+ {
+ Type: "file",
+ DHType: "curve25519",
+ DHPath: "/tmp/file-foo-dhpath",
+ AAD: "foobar",
+ Config: map[string]interface{}{
+ "path": "/tmp/file-foo",
+ },
+ },
+ },
+ },
+ Vault: &Vault{
+ Address: "http://127.0.0.1:1111",
+ Retry: &Retry{
+ ctconfig.DefaultRetryAttempts,
+ },
+ },
+ }
+
+ config.Prune()
+ if diff := deep.Equal(config, expected); diff != nil {
+ t.Fatal(diff)
+ }
+}
+
+func TestLoadConfigFile_Disable_Keep_Alives_Caching(t *testing.T) {
+ config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-caching.hcl")
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ expected := &Config{
+ SharedConfig: &configutil.SharedConfig{
+ PidFile: "./pidfile",
+ },
+ DisableKeepAlives: "caching",
+ DisableKeepAlivesCaching: true,
+ DisableKeepAlivesAutoAuth: false,
+ DisableKeepAlivesTemplating: false,
+ AutoAuth: &AutoAuth{
+ Method: &Method{
+ Type: "aws",
+ MountPath: "auth/aws",
+ Namespace: "my-namespace/",
+ Config: map[string]interface{}{
+ "role": "foobar",
+ },
+ },
+ Sinks: []*Sink{
+ {
+ Type: "file",
+ DHType: "curve25519",
+ DHPath: "/tmp/file-foo-dhpath",
+ AAD: "foobar",
+ Config: map[string]interface{}{
+ "path": "/tmp/file-foo",
+ },
+ },
+ },
+ },
+ Vault: &Vault{
+ Address: "http://127.0.0.1:1111",
+ Retry: &Retry{
+ ctconfig.DefaultRetryAttempts,
+ },
+ },
+ }
+
+ config.Prune()
+ if diff := deep.Equal(config, expected); diff != nil {
+ t.Fatal(diff)
+ }
+}
diff --git a/command/agent/config/test-fixtures/config-disable-keep-alives-all.hcl b/command/agent/config/test-fixtures/config-disable-keep-alives-all.hcl
new file mode 100644
index 0000000000000..9586931381ee1
--- /dev/null
+++ b/command/agent/config/test-fixtures/config-disable-keep-alives-all.hcl
@@ -0,0 +1,27 @@
+pid_file = "./pidfile"
+disable_keep_alives = "auto-auth,templating,caching"
+
+auto_auth {
+ method {
+ type = "aws"
+ namespace = "my-namespace/"
+
+ config = {
+ role = "foobar"
+ }
+ }
+
+ sink {
+ type = "file"
+ config = {
+ path = "/tmp/file-foo"
+ }
+ aad = "foobar"
+ dh_type = "curve25519"
+ dh_path = "/tmp/file-foo-dhpath"
+ }
+}
+
+vault {
+ address = "http://127.0.0.1:1111"
+}
diff --git a/command/agent/config/test-fixtures/config-disable-keep-alives-auto-auth.hcl b/command/agent/config/test-fixtures/config-disable-keep-alives-auto-auth.hcl
new file mode 100644
index 0000000000000..7fdd59539feb9
--- /dev/null
+++ b/command/agent/config/test-fixtures/config-disable-keep-alives-auto-auth.hcl
@@ -0,0 +1,27 @@
+pid_file = "./pidfile"
+disable_keep_alives = "auto-auth"
+
+auto_auth {
+ method {
+ type = "aws"
+ namespace = "my-namespace/"
+
+ config = {
+ role = "foobar"
+ }
+ }
+
+ sink {
+ type = "file"
+ config = {
+ path = "/tmp/file-foo"
+ }
+ aad = "foobar"
+ dh_type = "curve25519"
+ dh_path = "/tmp/file-foo-dhpath"
+ }
+}
+
+vault {
+ address = "http://127.0.0.1:1111"
+}
diff --git a/command/agent/config/test-fixtures/config-disable-keep-alives-caching.hcl b/command/agent/config/test-fixtures/config-disable-keep-alives-caching.hcl
new file mode 100644
index 0000000000000..65765f9adb8a3
--- /dev/null
+++ b/command/agent/config/test-fixtures/config-disable-keep-alives-caching.hcl
@@ -0,0 +1,27 @@
+pid_file = "./pidfile"
+disable_keep_alives = "caching"
+
+auto_auth {
+ method {
+ type = "aws"
+ namespace = "my-namespace/"
+
+ config = {
+ role = "foobar"
+ }
+ }
+
+ sink {
+ type = "file"
+ config = {
+ path = "/tmp/file-foo"
+ }
+ aad = "foobar"
+ dh_type = "curve25519"
+ dh_path = "/tmp/file-foo-dhpath"
+ }
+}
+
+vault {
+ address = "http://127.0.0.1:1111"
+}
diff --git a/command/agent/config/test-fixtures/config-disable-keep-alives-empty.hcl b/command/agent/config/test-fixtures/config-disable-keep-alives-empty.hcl
new file mode 100644
index 0000000000000..5b1a7449144fb
--- /dev/null
+++ b/command/agent/config/test-fixtures/config-disable-keep-alives-empty.hcl
@@ -0,0 +1,27 @@
+pid_file = "./pidfile"
+disable_keep_alives = ""
+
+auto_auth {
+ method {
+ type = "aws"
+ namespace = "my-namespace/"
+
+ config = {
+ role = "foobar"
+ }
+ }
+
+ sink {
+ type = "file"
+ config = {
+ path = "/tmp/file-foo"
+ }
+ aad = "foobar"
+ dh_type = "curve25519"
+ dh_path = "/tmp/file-foo-dhpath"
+ }
+}
+
+vault {
+ address = "http://127.0.0.1:1111"
+}
diff --git a/command/agent/config/test-fixtures/config-disable-keep-alives-templating.hcl b/command/agent/config/test-fixtures/config-disable-keep-alives-templating.hcl
new file mode 100644
index 0000000000000..48b323d375c81
--- /dev/null
+++ b/command/agent/config/test-fixtures/config-disable-keep-alives-templating.hcl
@@ -0,0 +1,27 @@
+pid_file = "./pidfile"
+disable_keep_alives = "templating"
+
+auto_auth {
+ method {
+ type = "aws"
+ namespace = "my-namespace/"
+
+ config = {
+ role = "foobar"
+ }
+ }
+
+ sink {
+ type = "file"
+ config = {
+ path = "/tmp/file-foo"
+ }
+ aad = "foobar"
+ dh_type = "curve25519"
+ dh_path = "/tmp/file-foo-dhpath"
+ }
+}
+
+vault {
+ address = "http://127.0.0.1:1111"
+}
diff --git a/command/agent/template/template.go b/command/agent/template/template.go
index 9ff22fbd9b25c..13f736eee3d63 100644
--- a/command/agent/template/template.go
+++ b/command/agent/template/template.go
@@ -107,6 +107,7 @@ func (ts *Server) Run(ctx context.Context, incoming chan string, templates []*ct
// configuration
var runnerConfig *ctconfig.Config
var runnerConfigErr error
+
if runnerConfig, runnerConfigErr = newRunnerConfig(ts.config, templates); runnerConfigErr != nil {
return fmt.Errorf("template server failed to runner generate config: %w", runnerConfigErr)
}
@@ -244,6 +245,8 @@ func newRunnerConfig(sc *ServerConfig, templates ctconfig.TemplateConfigs) (*ctc
conf.Vault.DefaultLeaseDuration = &sc.AgentConfig.TemplateConfig.StaticSecretRenderInt
}
+ conf.Vault.Transport.DisableKeepAlives = &sc.AgentConfig.DisableKeepAlivesTemplating
+
conf.Vault.SSL = &ctconfig.SSLConfig{
Enabled: pointerutil.BoolPtr(false),
Verify: pointerutil.BoolPtr(false),
From 5f1237eab9362a039abf8ccb1b5f82c194229c69 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Tue, 14 Jun 2022 17:05:55 -0400
Subject: [PATCH 02/10] Add empty test
---
command/agent/config/config_test.go | 49 +++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/command/agent/config/config_test.go b/command/agent/config/config_test.go
index 4efa3f90d97ce..788ebc6bb5bb1 100644
--- a/command/agent/config/config_test.go
+++ b/command/agent/config/config_test.go
@@ -1229,3 +1229,52 @@ func TestLoadConfigFile_Disable_Keep_Alives_Caching(t *testing.T) {
t.Fatal(diff)
}
}
+
+func TestLoadConfigFile_Disable_Keep_Alives_Empty(t *testing.T) {
+ config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-empty.hcl")
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ expected := &Config{
+ SharedConfig: &configutil.SharedConfig{
+ PidFile: "./pidfile",
+ },
+ DisableKeepAlives: "",
+ DisableKeepAlivesCaching: false,
+ DisableKeepAlivesAutoAuth: false,
+ DisableKeepAlivesTemplating: false,
+ AutoAuth: &AutoAuth{
+ Method: &Method{
+ Type: "aws",
+ MountPath: "auth/aws",
+ Namespace: "my-namespace/",
+ Config: map[string]interface{}{
+ "role": "foobar",
+ },
+ },
+ Sinks: []*Sink{
+ {
+ Type: "file",
+ DHType: "curve25519",
+ DHPath: "/tmp/file-foo-dhpath",
+ AAD: "foobar",
+ Config: map[string]interface{}{
+ "path": "/tmp/file-foo",
+ },
+ },
+ },
+ },
+ Vault: &Vault{
+ Address: "http://127.0.0.1:1111",
+ Retry: &Retry{
+ ctconfig.DefaultRetryAttempts,
+ },
+ },
+ }
+
+ config.Prune()
+ if diff := deep.Equal(config, expected); diff != nil {
+ t.Fatal(diff)
+ }
+}
From 25fe992aa9e2e070562bd8869f5644053be1d6fb Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Tue, 14 Jun 2022 17:08:46 -0400
Subject: [PATCH 03/10] Add website doc
---
website/content/docs/agent/index.mdx | 3 +++
1 file changed, 3 insertions(+)
diff --git a/website/content/docs/agent/index.mdx b/website/content/docs/agent/index.mdx
index a7de23df14452..e33ebcdf1a99f 100644
--- a/website/content/docs/agent/index.mdx
+++ b/website/content/docs/agent/index.mdx
@@ -144,6 +144,9 @@ These are the currently-available general configuration option:
with code `0` after a single successful auth, where success means that a
token was retrieved and all sinks successfully wrote it
+- `disable_keep_alives` `(string: "")` - A comma separated string that disables keep alives for various features in Vault Agent.
+ Valid values include: `auto-auth`, `caching` and `templating`.
+
- `template` ([template][template]: ) - Specifies options used for templating Vault secrets to files.
- `template_config` ([template_config][template-config]: ) - Specifies templating engine behavior.
From f752243f008a142d5c8569c3022b3f3873bedf7a Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 16 Jun 2022 14:14:07 -0400
Subject: [PATCH 04/10] Change to disable_idle_connections
---
api/client.go | 18 +++++++++++
command/agent.go | 12 +++++--
command/agent/config/config.go | 34 ++++++++++----------
command/agent/config/config_test.go | 50 ++++++++++++++---------------
command/agent/template/template.go | 5 ++-
5 files changed, 73 insertions(+), 46 deletions(-)
diff --git a/api/client.go b/api/client.go
index 8666925756311..83db209d47c28 100644
--- a/api/client.go
+++ b/api/client.go
@@ -738,6 +738,24 @@ func (c *Client) DisableKeepAlives() bool {
return c.config.HttpClient.Transport.(*http.Transport).DisableKeepAlives
}
+func (c *Client) SetMaxIdleConnections(idle int) {
+ c.modifyLock.RLock()
+ defer c.modifyLock.RUnlock()
+ c.config.modifyLock.Lock()
+ defer c.config.modifyLock.Unlock()
+
+ c.config.HttpClient.Transport.(*http.Transport).MaxIdleConns = idle
+}
+
+func (c *Client) MaxIdleConnections() int {
+ c.modifyLock.RLock()
+ defer c.modifyLock.RUnlock()
+ c.config.modifyLock.Lock()
+ defer c.config.modifyLock.Unlock()
+
+ return c.config.HttpClient.Transport.(*http.Transport).MaxIdleConns
+}
+
func (c *Client) MaxRetries() int {
c.modifyLock.RLock()
defer c.modifyLock.RUnlock()
diff --git a/command/agent.go b/command/agent.go
index 5d1a6cd4e52ef..16fa9fa38e18d 100644
--- a/command/agent.go
+++ b/command/agent.go
@@ -375,7 +375,9 @@ func (c *AgentCommand) Run(args []string) int {
return 1
}
- sinkClient.SetDisableKeepAlives(config.DisableKeepAlivesAutoAuth)
+ if config.DisableIdleConnsAutoAuth {
+ sinkClient.SetMaxIdleConnections(-1)
+ }
for _, sc := range config.AutoAuth.Sinks {
switch sc.Type {
@@ -505,7 +507,9 @@ func (c *AgentCommand) Run(args []string) int {
return 1
}
- proxyClient.SetDisableKeepAlives(config.DisableKeepAlivesCaching)
+ if config.DisableIdleConnsAutoAuth {
+ proxyClient.SetMaxIdleConnections(-1)
+ }
// Create the API proxier
apiProxy, err := cache.NewAPIProxy(&cache.APIProxyConfig{
@@ -816,7 +820,9 @@ func (c *AgentCommand) Run(args []string) int {
return 1
}
- ahClient.SetDisableKeepAlives(config.DisableKeepAlivesAutoAuth)
+ if config.DisableIdleConnsAutoAuth {
+ ahClient.SetMaxIdleConnections(-1)
+ }
ah := auth.NewAuthHandler(&auth.AuthHandlerConfig{
Logger: c.logger.Named("auth.handler"),
diff --git a/command/agent/config/config.go b/command/agent/config/config.go
index d5ea4b4e29217..fe9f82054fb08 100644
--- a/command/agent/config/config.go
+++ b/command/agent/config/config.go
@@ -24,16 +24,16 @@ import (
type Config struct {
*configutil.SharedConfig `hcl:"-"`
- AutoAuth *AutoAuth `hcl:"auto_auth"`
- ExitAfterAuth bool `hcl:"exit_after_auth"`
- Cache *Cache `hcl:"cache"`
- Vault *Vault `hcl:"vault"`
- TemplateConfig *TemplateConfig `hcl:"template_config"`
- Templates []*ctconfig.TemplateConfig `hcl:"templates"`
- DisableKeepAlives string `hcl:"disable_keep_alives"`
- DisableKeepAlivesCaching bool
- DisableKeepAlivesTemplating bool
- DisableKeepAlivesAutoAuth bool
+ AutoAuth *AutoAuth `hcl:"auto_auth"`
+ ExitAfterAuth bool `hcl:"exit_after_auth"`
+ Cache *Cache `hcl:"cache"`
+ Vault *Vault `hcl:"vault"`
+ TemplateConfig *TemplateConfig `hcl:"template_config"`
+ Templates []*ctconfig.TemplateConfig `hcl:"templates"`
+ DisableIdleConns string `hcl:"disable_idle_connections"`
+ DisableIdleConnsCaching bool `hcl:"-"`
+ DisableIdleConnsTemplating bool `hcl:"-"`
+ DisableIdleConnsAutoAuth bool `hcl:"-"`
}
func (c *Config) Prune() {
@@ -264,17 +264,17 @@ func LoadConfig(path string) (*Config, error) {
result.Vault.Retry.NumRetries = 0
}
- if result.DisableKeepAlives != "" {
- if strings.Contains(strings.ToLower(result.DisableKeepAlives), "caching") {
- result.DisableKeepAlivesCaching = true
+ if result.DisableIdleConns != "" {
+ if strings.Contains(strings.ToLower(result.DisableIdleConns), "caching") {
+ result.DisableIdleConnsCaching = true
}
- if strings.Contains(strings.ToLower(result.DisableKeepAlives), "auto-auth") {
- result.DisableKeepAlivesAutoAuth = true
+ if strings.Contains(strings.ToLower(result.DisableIdleConns), "auto-auth") {
+ result.DisableIdleConnsAutoAuth = true
}
- if strings.Contains(strings.ToLower(result.DisableKeepAlives), "templating") {
- result.DisableKeepAlivesTemplating = true
+ if strings.Contains(strings.ToLower(result.DisableIdleConns), "templating") {
+ result.DisableIdleConnsTemplating = true
}
}
diff --git a/command/agent/config/config_test.go b/command/agent/config/config_test.go
index 788ebc6bb5bb1..2b7fdbe199136 100644
--- a/command/agent/config/config_test.go
+++ b/command/agent/config/config_test.go
@@ -1034,7 +1034,7 @@ func TestLoadConfigFile_EnforceConsistency(t *testing.T) {
}
}
-func TestLoadConfigFile_Disable_Keep_Alives_All(t *testing.T) {
+func TestLoadConfigFile_Disable_Idle_Conns_All(t *testing.T) {
config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-all.hcl")
if err != nil {
t.Fatal(err)
@@ -1044,10 +1044,10 @@ func TestLoadConfigFile_Disable_Keep_Alives_All(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableKeepAlives: "auto-auth,templating,caching",
- DisableKeepAlivesCaching: true,
- DisableKeepAlivesAutoAuth: true,
- DisableKeepAlivesTemplating: true,
+ DisableIdleConns: "auto-auth,templating,caching",
+ DisableIdleConnsCaching: true,
+ DisableIdleConnsAutoAuth: true,
+ DisableIdleConnsTemplating: true,
AutoAuth: &AutoAuth{
Method: &Method{
Type: "aws",
@@ -1083,7 +1083,7 @@ func TestLoadConfigFile_Disable_Keep_Alives_All(t *testing.T) {
}
}
-func TestLoadConfigFile_Disable_Keep_Alives_Auto_Auth(t *testing.T) {
+func TestLoadConfigFile_Disable_Idle_Conns_Auto_Auth(t *testing.T) {
config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-auto-auth.hcl")
if err != nil {
t.Fatal(err)
@@ -1093,10 +1093,10 @@ func TestLoadConfigFile_Disable_Keep_Alives_Auto_Auth(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableKeepAlives: "auto-auth",
- DisableKeepAlivesCaching: false,
- DisableKeepAlivesAutoAuth: true,
- DisableKeepAlivesTemplating: false,
+ DisableIdleConns: "auto-auth",
+ DisableIdleConnsCaching: false,
+ DisableIdleConnsAutoAuth: true,
+ DisableIdleConnsTemplating: false,
AutoAuth: &AutoAuth{
Method: &Method{
Type: "aws",
@@ -1132,7 +1132,7 @@ func TestLoadConfigFile_Disable_Keep_Alives_Auto_Auth(t *testing.T) {
}
}
-func TestLoadConfigFile_Disable_Keep_Alives_Templating(t *testing.T) {
+func TestLoadConfigFile_Disable_Idle_Conns_Templating(t *testing.T) {
config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-templating.hcl")
if err != nil {
t.Fatal(err)
@@ -1142,10 +1142,10 @@ func TestLoadConfigFile_Disable_Keep_Alives_Templating(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableKeepAlives: "templating",
- DisableKeepAlivesCaching: false,
- DisableKeepAlivesAutoAuth: false,
- DisableKeepAlivesTemplating: true,
+ DisableIdleConns: "templating",
+ DisableIdleConnsCaching: false,
+ DisableIdleConnsAutoAuth: false,
+ DisableIdleConnsTemplating: true,
AutoAuth: &AutoAuth{
Method: &Method{
Type: "aws",
@@ -1181,7 +1181,7 @@ func TestLoadConfigFile_Disable_Keep_Alives_Templating(t *testing.T) {
}
}
-func TestLoadConfigFile_Disable_Keep_Alives_Caching(t *testing.T) {
+func TestLoadConfigFile_Disable_Idle_Conns_Caching(t *testing.T) {
config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-caching.hcl")
if err != nil {
t.Fatal(err)
@@ -1191,10 +1191,10 @@ func TestLoadConfigFile_Disable_Keep_Alives_Caching(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableKeepAlives: "caching",
- DisableKeepAlivesCaching: true,
- DisableKeepAlivesAutoAuth: false,
- DisableKeepAlivesTemplating: false,
+ DisableIdleConns: "caching",
+ DisableIdleConnsCaching: true,
+ DisableIdleConnsAutoAuth: false,
+ DisableIdleConnsTemplating: false,
AutoAuth: &AutoAuth{
Method: &Method{
Type: "aws",
@@ -1230,7 +1230,7 @@ func TestLoadConfigFile_Disable_Keep_Alives_Caching(t *testing.T) {
}
}
-func TestLoadConfigFile_Disable_Keep_Alives_Empty(t *testing.T) {
+func TestLoadConfigFile_Disable_Idle_Conns_Empty(t *testing.T) {
config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-empty.hcl")
if err != nil {
t.Fatal(err)
@@ -1240,10 +1240,10 @@ func TestLoadConfigFile_Disable_Keep_Alives_Empty(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableKeepAlives: "",
- DisableKeepAlivesCaching: false,
- DisableKeepAlivesAutoAuth: false,
- DisableKeepAlivesTemplating: false,
+ DisableIdleConns: "",
+ DisableIdleConnsCaching: false,
+ DisableIdleConnsAutoAuth: false,
+ DisableIdleConnsTemplating: false,
AutoAuth: &AutoAuth{
Method: &Method{
Type: "aws",
diff --git a/command/agent/template/template.go b/command/agent/template/template.go
index 13f736eee3d63..0fa1e9a0d2730 100644
--- a/command/agent/template/template.go
+++ b/command/agent/template/template.go
@@ -245,7 +245,10 @@ func newRunnerConfig(sc *ServerConfig, templates ctconfig.TemplateConfigs) (*ctc
conf.Vault.DefaultLeaseDuration = &sc.AgentConfig.TemplateConfig.StaticSecretRenderInt
}
- conf.Vault.Transport.DisableKeepAlives = &sc.AgentConfig.DisableKeepAlivesTemplating
+ if sc.AgentConfig.DisableIdleConnsTemplating {
+ idleConns := -1
+ conf.Vault.Transport.MaxIdleConns = &idleConns
+ }
conf.Vault.SSL = &ctconfig.SSLConfig{
Enabled: pointerutil.BoolPtr(false),
From 0cd832b4abdf2380509c0714111b34a074c84150 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 16 Jun 2022 14:52:59 -0400
Subject: [PATCH 05/10] Update tests and doc
---
command/agent/config/config.go | 17 +++--
command/agent/config/config_test.go | 66 +++++++++++++++++--
...> config-disable-idle-connections-all.hcl} | 2 +-
...ig-disable-idle-connections-auto-auth.hcl} | 2 +-
...nfig-disable-idle-connections-caching.hcl} | 2 +-
...config-disable-idle-connections-empty.hcl} | 2 +-
...g-disable-idle-connections-templating.hcl} | 2 +-
website/content/docs/agent/index.mdx | 2 +-
8 files changed, 78 insertions(+), 17 deletions(-)
rename command/agent/config/test-fixtures/{config-disable-keep-alives-all.hcl => config-disable-idle-connections-all.hcl} (85%)
rename command/agent/config/test-fixtures/{config-disable-keep-alives-auto-auth.hcl => config-disable-idle-connections-auto-auth.hcl} (90%)
rename command/agent/config/test-fixtures/{config-disable-keep-alives-templating.hcl => config-disable-idle-connections-caching.hcl} (90%)
rename command/agent/config/test-fixtures/{config-disable-keep-alives-empty.hcl => config-disable-idle-connections-empty.hcl} (92%)
rename command/agent/config/test-fixtures/{config-disable-keep-alives-caching.hcl => config-disable-idle-connections-templating.hcl} (90%)
diff --git a/command/agent/config/config.go b/command/agent/config/config.go
index fe9f82054fb08..c721c71428e75 100644
--- a/command/agent/config/config.go
+++ b/command/agent/config/config.go
@@ -36,6 +36,8 @@ type Config struct {
DisableIdleConnsAutoAuth bool `hcl:"-"`
}
+const DisableIdleConnsEnv = "VAULT_AGENT_DISABLE_IDLE_CONNECTIONS"
+
func (c *Config) Prune() {
for _, l := range c.Listeners {
l.RawConfig = nil
@@ -264,16 +266,21 @@ func LoadConfig(path string) (*Config, error) {
result.Vault.Retry.NumRetries = 0
}
+ if disableIdleConnsEnv := os.Getenv(DisableIdleConnsEnv); disableIdleConnsEnv != "" {
+ result.DisableIdleConns = disableIdleConnsEnv
+ }
+
if result.DisableIdleConns != "" {
- if strings.Contains(strings.ToLower(result.DisableIdleConns), "caching") {
- result.DisableIdleConnsCaching = true
+ diableIdleConns := strings.ToLower(result.DisableIdleConns)
+ if strings.Contains(diableIdleConns, "auto-auth") {
+ result.DisableIdleConnsAutoAuth = true
}
- if strings.Contains(strings.ToLower(result.DisableIdleConns), "auto-auth") {
- result.DisableIdleConnsAutoAuth = true
+ if strings.Contains(diableIdleConns, "caching") {
+ result.DisableIdleConnsCaching = true
}
- if strings.Contains(strings.ToLower(result.DisableIdleConns), "templating") {
+ if strings.Contains(diableIdleConns, "templating") {
result.DisableIdleConnsTemplating = true
}
}
diff --git a/command/agent/config/config_test.go b/command/agent/config/config_test.go
index 2b7fdbe199136..0091e6093366f 100644
--- a/command/agent/config/config_test.go
+++ b/command/agent/config/config_test.go
@@ -1035,7 +1035,7 @@ func TestLoadConfigFile_EnforceConsistency(t *testing.T) {
}
func TestLoadConfigFile_Disable_Idle_Conns_All(t *testing.T) {
- config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-all.hcl")
+ config, err := LoadConfig("./test-fixtures/config-disable-idle-connections-all.hcl")
if err != nil {
t.Fatal(err)
}
@@ -1044,7 +1044,7 @@ func TestLoadConfigFile_Disable_Idle_Conns_All(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableIdleConns: "auto-auth,templating,caching",
+ DisableIdleConns: "auto-auth, caching, templating",
DisableIdleConnsCaching: true,
DisableIdleConnsAutoAuth: true,
DisableIdleConnsTemplating: true,
@@ -1084,7 +1084,7 @@ func TestLoadConfigFile_Disable_Idle_Conns_All(t *testing.T) {
}
func TestLoadConfigFile_Disable_Idle_Conns_Auto_Auth(t *testing.T) {
- config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-auto-auth.hcl")
+ config, err := LoadConfig("./test-fixtures/config-disable-idle-connections-auto-auth.hcl")
if err != nil {
t.Fatal(err)
}
@@ -1133,7 +1133,7 @@ func TestLoadConfigFile_Disable_Idle_Conns_Auto_Auth(t *testing.T) {
}
func TestLoadConfigFile_Disable_Idle_Conns_Templating(t *testing.T) {
- config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-templating.hcl")
+ config, err := LoadConfig("./test-fixtures/config-disable-idle-connections-templating.hcl")
if err != nil {
t.Fatal(err)
}
@@ -1182,7 +1182,7 @@ func TestLoadConfigFile_Disable_Idle_Conns_Templating(t *testing.T) {
}
func TestLoadConfigFile_Disable_Idle_Conns_Caching(t *testing.T) {
- config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-caching.hcl")
+ config, err := LoadConfig("./test-fixtures/config-disable-idle-connections-caching.hcl")
if err != nil {
t.Fatal(err)
}
@@ -1231,7 +1231,7 @@ func TestLoadConfigFile_Disable_Idle_Conns_Caching(t *testing.T) {
}
func TestLoadConfigFile_Disable_Idle_Conns_Empty(t *testing.T) {
- config, err := LoadConfig("./test-fixtures/config-disable-keep-alives-empty.hcl")
+ config, err := LoadConfig("./test-fixtures/config-disable-idle-connections-empty.hcl")
if err != nil {
t.Fatal(err)
}
@@ -1278,3 +1278,57 @@ func TestLoadConfigFile_Disable_Idle_Conns_Empty(t *testing.T) {
t.Fatal(diff)
}
}
+
+func TestLoadConfigFile_Disable_Idle_Conns_Env(t *testing.T) {
+ err := os.Setenv(DisableIdleConnsEnv, "auto-auth, caching, templating")
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ config, err := LoadConfig("./test-fixtures/config-disable-idle-connections-empty.hcl")
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ expected := &Config{
+ SharedConfig: &configutil.SharedConfig{
+ PidFile: "./pidfile",
+ },
+ DisableIdleConns: "auto-auth, caching, templating",
+ DisableIdleConnsCaching: true,
+ DisableIdleConnsAutoAuth: true,
+ DisableIdleConnsTemplating: true,
+ AutoAuth: &AutoAuth{
+ Method: &Method{
+ Type: "aws",
+ MountPath: "auth/aws",
+ Namespace: "my-namespace/",
+ Config: map[string]interface{}{
+ "role": "foobar",
+ },
+ },
+ Sinks: []*Sink{
+ {
+ Type: "file",
+ DHType: "curve25519",
+ DHPath: "/tmp/file-foo-dhpath",
+ AAD: "foobar",
+ Config: map[string]interface{}{
+ "path": "/tmp/file-foo",
+ },
+ },
+ },
+ },
+ Vault: &Vault{
+ Address: "http://127.0.0.1:1111",
+ Retry: &Retry{
+ ctconfig.DefaultRetryAttempts,
+ },
+ },
+ }
+
+ config.Prune()
+ if diff := deep.Equal(config, expected); diff != nil {
+ t.Fatal(diff)
+ }
+}
diff --git a/command/agent/config/test-fixtures/config-disable-keep-alives-all.hcl b/command/agent/config/test-fixtures/config-disable-idle-connections-all.hcl
similarity index 85%
rename from command/agent/config/test-fixtures/config-disable-keep-alives-all.hcl
rename to command/agent/config/test-fixtures/config-disable-idle-connections-all.hcl
index 9586931381ee1..0370828556b13 100644
--- a/command/agent/config/test-fixtures/config-disable-keep-alives-all.hcl
+++ b/command/agent/config/test-fixtures/config-disable-idle-connections-all.hcl
@@ -1,5 +1,5 @@
pid_file = "./pidfile"
-disable_keep_alives = "auto-auth,templating,caching"
+disable_idle_connections = "auto-auth, caching, templating"
auto_auth {
method {
diff --git a/command/agent/config/test-fixtures/config-disable-keep-alives-auto-auth.hcl b/command/agent/config/test-fixtures/config-disable-idle-connections-auto-auth.hcl
similarity index 90%
rename from command/agent/config/test-fixtures/config-disable-keep-alives-auto-auth.hcl
rename to command/agent/config/test-fixtures/config-disable-idle-connections-auto-auth.hcl
index 7fdd59539feb9..493a09ae41dd2 100644
--- a/command/agent/config/test-fixtures/config-disable-keep-alives-auto-auth.hcl
+++ b/command/agent/config/test-fixtures/config-disable-idle-connections-auto-auth.hcl
@@ -1,5 +1,5 @@
pid_file = "./pidfile"
-disable_keep_alives = "auto-auth"
+disable_idle_connections = "auto-auth"
auto_auth {
method {
diff --git a/command/agent/config/test-fixtures/config-disable-keep-alives-templating.hcl b/command/agent/config/test-fixtures/config-disable-idle-connections-caching.hcl
similarity index 90%
rename from command/agent/config/test-fixtures/config-disable-keep-alives-templating.hcl
rename to command/agent/config/test-fixtures/config-disable-idle-connections-caching.hcl
index 48b323d375c81..aeb71c37e4677 100644
--- a/command/agent/config/test-fixtures/config-disable-keep-alives-templating.hcl
+++ b/command/agent/config/test-fixtures/config-disable-idle-connections-caching.hcl
@@ -1,5 +1,5 @@
pid_file = "./pidfile"
-disable_keep_alives = "templating"
+disable_idle_connections = "caching"
auto_auth {
method {
diff --git a/command/agent/config/test-fixtures/config-disable-keep-alives-empty.hcl b/command/agent/config/test-fixtures/config-disable-idle-connections-empty.hcl
similarity index 92%
rename from command/agent/config/test-fixtures/config-disable-keep-alives-empty.hcl
rename to command/agent/config/test-fixtures/config-disable-idle-connections-empty.hcl
index 5b1a7449144fb..013d0ece52cc1 100644
--- a/command/agent/config/test-fixtures/config-disable-keep-alives-empty.hcl
+++ b/command/agent/config/test-fixtures/config-disable-idle-connections-empty.hcl
@@ -1,5 +1,5 @@
pid_file = "./pidfile"
-disable_keep_alives = ""
+disable_idle_connections = ""
auto_auth {
method {
diff --git a/command/agent/config/test-fixtures/config-disable-keep-alives-caching.hcl b/command/agent/config/test-fixtures/config-disable-idle-connections-templating.hcl
similarity index 90%
rename from command/agent/config/test-fixtures/config-disable-keep-alives-caching.hcl
rename to command/agent/config/test-fixtures/config-disable-idle-connections-templating.hcl
index 65765f9adb8a3..ae521c453a9ce 100644
--- a/command/agent/config/test-fixtures/config-disable-keep-alives-caching.hcl
+++ b/command/agent/config/test-fixtures/config-disable-idle-connections-templating.hcl
@@ -1,5 +1,5 @@
pid_file = "./pidfile"
-disable_keep_alives = "caching"
+disable_idle_connections = "templating"
auto_auth {
method {
diff --git a/website/content/docs/agent/index.mdx b/website/content/docs/agent/index.mdx
index e33ebcdf1a99f..97d8a3f0b9608 100644
--- a/website/content/docs/agent/index.mdx
+++ b/website/content/docs/agent/index.mdx
@@ -144,7 +144,7 @@ These are the currently-available general configuration option:
with code `0` after a single successful auth, where success means that a
token was retrieved and all sinks successfully wrote it
-- `disable_keep_alives` `(string: "")` - A comma separated string that disables keep alives for various features in Vault Agent.
+- `disable_idle_connections` `(string: "")` - A comma separated string that disables idle connections for various features in Vault Agent.
Valid values include: `auto-auth`, `caching` and `templating`.
- `template` ([template][template]: ) - Specifies options used for templating Vault secrets to files.
From b61a25f4b7e7525f6612f0a68a4cc35e7c7a1907 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 16 Jun 2022 14:56:00 -0400
Subject: [PATCH 06/10] Add note about env
---
website/content/docs/agent/index.mdx | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/website/content/docs/agent/index.mdx b/website/content/docs/agent/index.mdx
index 97d8a3f0b9608..e4018ffb87086 100644
--- a/website/content/docs/agent/index.mdx
+++ b/website/content/docs/agent/index.mdx
@@ -145,7 +145,8 @@ These are the currently-available general configuration option:
token was retrieved and all sinks successfully wrote it
- `disable_idle_connections` `(string: "")` - A comma separated string that disables idle connections for various features in Vault Agent.
- Valid values include: `auto-auth`, `caching` and `templating`.
+ Valid values include: `auto-auth`, `caching` and `templating`. Can additionally be configured by setting the `VAULT_AGENT_DISABLE_IDLE_CONNECTIONS`
+ environment variable and will be used instead of values found in configuration files.
- `template` ([template][template]: ) - Specifies options used for templating Vault secrets to files.
From e70477658789cad474ec4af9ac0f94a3b12a8c9e Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 16 Jun 2022 14:58:11 -0400
Subject: [PATCH 07/10] Changelog
---
changelog/15986.txt | 2 ++
1 file changed, 2 insertions(+)
create mode 100644 changelog/15986.txt
diff --git a/changelog/15986.txt b/changelog/15986.txt
new file mode 100644
index 0000000000000..663ccc8c9b411
--- /dev/null
+++ b/changelog/15986.txt
@@ -0,0 +1,2 @@
+```release-note:improvement
+agent: Added `disable_idle_connections` configuration to disable leaving idle connections open in auto-auth, caching and templating.
\ No newline at end of file
From 3c8ec85b2169309d1cecd90870297bdf12753613 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 16 Jun 2022 15:23:34 -0400
Subject: [PATCH 08/10] Change to slice
---
command/agent/config/config.go | 23 +++++++++----------
command/agent/config/config_test.go | 15 ++++++------
.../config-disable-idle-connections-all.hcl | 2 +-
...fig-disable-idle-connections-auto-auth.hcl | 2 +-
...onfig-disable-idle-connections-caching.hcl | 2 +-
.../config-disable-idle-connections-empty.hcl | 2 +-
...ig-disable-idle-connections-templating.hcl | 2 +-
website/content/docs/agent/index.mdx | 6 ++---
8 files changed, 26 insertions(+), 28 deletions(-)
diff --git a/command/agent/config/config.go b/command/agent/config/config.go
index c721c71428e75..1a073309cd213 100644
--- a/command/agent/config/config.go
+++ b/command/agent/config/config.go
@@ -30,7 +30,7 @@ type Config struct {
Vault *Vault `hcl:"vault"`
TemplateConfig *TemplateConfig `hcl:"template_config"`
Templates []*ctconfig.TemplateConfig `hcl:"templates"`
- DisableIdleConns string `hcl:"disable_idle_connections"`
+ DisableIdleConns []string `hcl:"disable_idle_connections"`
DisableIdleConnsCaching bool `hcl:"-"`
DisableIdleConnsTemplating bool `hcl:"-"`
DisableIdleConnsAutoAuth bool `hcl:"-"`
@@ -267,24 +267,23 @@ func LoadConfig(path string) (*Config, error) {
}
if disableIdleConnsEnv := os.Getenv(DisableIdleConnsEnv); disableIdleConnsEnv != "" {
- result.DisableIdleConns = disableIdleConnsEnv
+ result.DisableIdleConns, err = parseutil.ParseCommaStringSlice(strings.ToLower(disableIdleConnsEnv))
+ if err != nil {
+ return nil, fmt.Errorf("error parsing environment variable %s: %v", DisableIdleConnsEnv, err)
+ }
}
- if result.DisableIdleConns != "" {
- diableIdleConns := strings.ToLower(result.DisableIdleConns)
- if strings.Contains(diableIdleConns, "auto-auth") {
+ for _, subsystem := range result.DisableIdleConns {
+ switch subsystem {
+ case "auto-auth":
result.DisableIdleConnsAutoAuth = true
- }
-
- if strings.Contains(diableIdleConns, "caching") {
+ case "caching":
result.DisableIdleConnsCaching = true
- }
-
- if strings.Contains(diableIdleConns, "templating") {
+ case "templating":
result.DisableIdleConnsTemplating = true
+
}
}
-
return result, nil
}
diff --git a/command/agent/config/config_test.go b/command/agent/config/config_test.go
index 0091e6093366f..88e7cc6aa6f9f 100644
--- a/command/agent/config/config_test.go
+++ b/command/agent/config/config_test.go
@@ -1044,7 +1044,7 @@ func TestLoadConfigFile_Disable_Idle_Conns_All(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableIdleConns: "auto-auth, caching, templating",
+ DisableIdleConns: []string{"auto-auth", "caching", "templating"},
DisableIdleConnsCaching: true,
DisableIdleConnsAutoAuth: true,
DisableIdleConnsTemplating: true,
@@ -1093,7 +1093,7 @@ func TestLoadConfigFile_Disable_Idle_Conns_Auto_Auth(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableIdleConns: "auto-auth",
+ DisableIdleConns: []string{"auto-auth"},
DisableIdleConnsCaching: false,
DisableIdleConnsAutoAuth: true,
DisableIdleConnsTemplating: false,
@@ -1142,7 +1142,7 @@ func TestLoadConfigFile_Disable_Idle_Conns_Templating(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableIdleConns: "templating",
+ DisableIdleConns: []string{"templating"},
DisableIdleConnsCaching: false,
DisableIdleConnsAutoAuth: false,
DisableIdleConnsTemplating: true,
@@ -1191,7 +1191,7 @@ func TestLoadConfigFile_Disable_Idle_Conns_Caching(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableIdleConns: "caching",
+ DisableIdleConns: []string{"caching"},
DisableIdleConnsCaching: true,
DisableIdleConnsAutoAuth: false,
DisableIdleConnsTemplating: false,
@@ -1240,7 +1240,7 @@ func TestLoadConfigFile_Disable_Idle_Conns_Empty(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableIdleConns: "",
+ DisableIdleConns: []string{""},
DisableIdleConnsCaching: false,
DisableIdleConnsAutoAuth: false,
DisableIdleConnsTemplating: false,
@@ -1280,11 +1280,10 @@ func TestLoadConfigFile_Disable_Idle_Conns_Empty(t *testing.T) {
}
func TestLoadConfigFile_Disable_Idle_Conns_Env(t *testing.T) {
- err := os.Setenv(DisableIdleConnsEnv, "auto-auth, caching, templating")
+ err := os.Setenv(DisableIdleConnsEnv, "auto-auth,caching,templating")
if err != nil {
t.Fatal(err)
}
-
config, err := LoadConfig("./test-fixtures/config-disable-idle-connections-empty.hcl")
if err != nil {
t.Fatal(err)
@@ -1294,7 +1293,7 @@ func TestLoadConfigFile_Disable_Idle_Conns_Env(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableIdleConns: "auto-auth, caching, templating",
+ DisableIdleConns: []string{"auto-auth", "caching", "templating"},
DisableIdleConnsCaching: true,
DisableIdleConnsAutoAuth: true,
DisableIdleConnsTemplating: true,
diff --git a/command/agent/config/test-fixtures/config-disable-idle-connections-all.hcl b/command/agent/config/test-fixtures/config-disable-idle-connections-all.hcl
index 0370828556b13..69ff548f55614 100644
--- a/command/agent/config/test-fixtures/config-disable-idle-connections-all.hcl
+++ b/command/agent/config/test-fixtures/config-disable-idle-connections-all.hcl
@@ -1,5 +1,5 @@
pid_file = "./pidfile"
-disable_idle_connections = "auto-auth, caching, templating"
+disable_idle_connections = ["auto-auth","caching","templating"]
auto_auth {
method {
diff --git a/command/agent/config/test-fixtures/config-disable-idle-connections-auto-auth.hcl b/command/agent/config/test-fixtures/config-disable-idle-connections-auto-auth.hcl
index 493a09ae41dd2..1a63b20480d4f 100644
--- a/command/agent/config/test-fixtures/config-disable-idle-connections-auto-auth.hcl
+++ b/command/agent/config/test-fixtures/config-disable-idle-connections-auto-auth.hcl
@@ -1,5 +1,5 @@
pid_file = "./pidfile"
-disable_idle_connections = "auto-auth"
+disable_idle_connections = ["auto-auth"]
auto_auth {
method {
diff --git a/command/agent/config/test-fixtures/config-disable-idle-connections-caching.hcl b/command/agent/config/test-fixtures/config-disable-idle-connections-caching.hcl
index aeb71c37e4677..30d0806c03371 100644
--- a/command/agent/config/test-fixtures/config-disable-idle-connections-caching.hcl
+++ b/command/agent/config/test-fixtures/config-disable-idle-connections-caching.hcl
@@ -1,5 +1,5 @@
pid_file = "./pidfile"
-disable_idle_connections = "caching"
+disable_idle_connections = ["caching"]
auto_auth {
method {
diff --git a/command/agent/config/test-fixtures/config-disable-idle-connections-empty.hcl b/command/agent/config/test-fixtures/config-disable-idle-connections-empty.hcl
index 013d0ece52cc1..7197750a864e6 100644
--- a/command/agent/config/test-fixtures/config-disable-idle-connections-empty.hcl
+++ b/command/agent/config/test-fixtures/config-disable-idle-connections-empty.hcl
@@ -1,5 +1,5 @@
pid_file = "./pidfile"
-disable_idle_connections = ""
+disable_idle_connections = [""]
auto_auth {
method {
diff --git a/command/agent/config/test-fixtures/config-disable-idle-connections-templating.hcl b/command/agent/config/test-fixtures/config-disable-idle-connections-templating.hcl
index ae521c453a9ce..922377fc82a96 100644
--- a/command/agent/config/test-fixtures/config-disable-idle-connections-templating.hcl
+++ b/command/agent/config/test-fixtures/config-disable-idle-connections-templating.hcl
@@ -1,5 +1,5 @@
pid_file = "./pidfile"
-disable_idle_connections = "templating"
+disable_idle_connections = ["templating"]
auto_auth {
method {
diff --git a/website/content/docs/agent/index.mdx b/website/content/docs/agent/index.mdx
index e4018ffb87086..6f7875f2f3db0 100644
--- a/website/content/docs/agent/index.mdx
+++ b/website/content/docs/agent/index.mdx
@@ -144,9 +144,9 @@ These are the currently-available general configuration option:
with code `0` after a single successful auth, where success means that a
token was retrieved and all sinks successfully wrote it
-- `disable_idle_connections` `(string: "")` - A comma separated string that disables idle connections for various features in Vault Agent.
- Valid values include: `auto-auth`, `caching` and `templating`. Can additionally be configured by setting the `VAULT_AGENT_DISABLE_IDLE_CONNECTIONS`
- environment variable and will be used instead of values found in configuration files.
+- `disable_idle_connections` `(string array: [])` - A list of strings that disables idle connections for various features in Vault Agent.
+ Valid values include: `auto-auth`, `caching` and `templating`. Can also be configured by setting the `VAULT_AGENT_DISABLE_IDLE_CONNECTIONS`
+ environment variable as a comma separated string. This environment variable will override any values found in a configuration file.
- `template` ([template][template]: ) - Specifies options used for templating Vault secrets to files.
From 99c4af2f0274df07881cb3353cf63a5374410552 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 16 Jun 2022 15:42:21 -0400
Subject: [PATCH 09/10] Remove unused disable keep alive methods
---
api/client.go | 18 ------------------
1 file changed, 18 deletions(-)
diff --git a/api/client.go b/api/client.go
index 83db209d47c28..957ba5d824980 100644
--- a/api/client.go
+++ b/api/client.go
@@ -720,24 +720,6 @@ func (c *Client) SetMaxRetries(retries int) {
c.config.MaxRetries = retries
}
-func (c *Client) SetDisableKeepAlives(disable bool) {
- c.modifyLock.RLock()
- defer c.modifyLock.RUnlock()
- c.config.modifyLock.Lock()
- defer c.config.modifyLock.Unlock()
-
- c.config.HttpClient.Transport.(*http.Transport).DisableKeepAlives = disable
-}
-
-func (c *Client) DisableKeepAlives() bool {
- c.modifyLock.RLock()
- defer c.modifyLock.RUnlock()
- c.config.modifyLock.Lock()
- defer c.config.modifyLock.Unlock()
-
- return c.config.HttpClient.Transport.(*http.Transport).DisableKeepAlives
-}
-
func (c *Client) SetMaxIdleConnections(idle int) {
c.modifyLock.RLock()
defer c.modifyLock.RUnlock()
From 5cbe7f428509d4bc45201bb97aa17ced1d0d20d6 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Thu, 16 Jun 2022 15:52:16 -0400
Subject: [PATCH 10/10] Add invalid value test
---
command/agent/config/config.go | 6 ++++-
command/agent/config/config_test.go | 11 +++++++-
.../bad-config-disable-idle-connections.hcl | 27 +++++++++++++++++++
.../config-disable-idle-connections-empty.hcl | 2 +-
4 files changed, 43 insertions(+), 3 deletions(-)
create mode 100644 command/agent/config/test-fixtures/bad-config-disable-idle-connections.hcl
diff --git a/command/agent/config/config.go b/command/agent/config/config.go
index 1a073309cd213..8a28dcf631528 100644
--- a/command/agent/config/config.go
+++ b/command/agent/config/config.go
@@ -281,9 +281,13 @@ func LoadConfig(path string) (*Config, error) {
result.DisableIdleConnsCaching = true
case "templating":
result.DisableIdleConnsTemplating = true
-
+ case "":
+ continue
+ default:
+ return nil, fmt.Errorf("unknown disable_idle_connections value: %s", subsystem)
}
}
+
return result, nil
}
diff --git a/command/agent/config/config_test.go b/command/agent/config/config_test.go
index 88e7cc6aa6f9f..c9728543c3b4d 100644
--- a/command/agent/config/config_test.go
+++ b/command/agent/config/config_test.go
@@ -1240,7 +1240,7 @@ func TestLoadConfigFile_Disable_Idle_Conns_Empty(t *testing.T) {
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
},
- DisableIdleConns: []string{""},
+ DisableIdleConns: []string{},
DisableIdleConnsCaching: false,
DisableIdleConnsAutoAuth: false,
DisableIdleConnsTemplating: false,
@@ -1281,6 +1281,8 @@ func TestLoadConfigFile_Disable_Idle_Conns_Empty(t *testing.T) {
func TestLoadConfigFile_Disable_Idle_Conns_Env(t *testing.T) {
err := os.Setenv(DisableIdleConnsEnv, "auto-auth,caching,templating")
+ defer os.Unsetenv(DisableIdleConnsEnv)
+
if err != nil {
t.Fatal(err)
}
@@ -1331,3 +1333,10 @@ func TestLoadConfigFile_Disable_Idle_Conns_Env(t *testing.T) {
t.Fatal(diff)
}
}
+
+func TestLoadConfigFile_Bad_Value_Disable_Idle_Conns(t *testing.T) {
+ _, err := LoadConfig("./test-fixtures/bad-config-disable-idle-connections.hcl")
+ if err == nil {
+ t.Fatal("should have error, it didn't")
+ }
+}
diff --git a/command/agent/config/test-fixtures/bad-config-disable-idle-connections.hcl b/command/agent/config/test-fixtures/bad-config-disable-idle-connections.hcl
new file mode 100644
index 0000000000000..c13c82520ee6b
--- /dev/null
+++ b/command/agent/config/test-fixtures/bad-config-disable-idle-connections.hcl
@@ -0,0 +1,27 @@
+pid_file = "./pidfile"
+disable_idle_connections = ["foo","caching","templating"]
+
+auto_auth {
+ method {
+ type = "aws"
+ namespace = "my-namespace/"
+
+ config = {
+ role = "foobar"
+ }
+ }
+
+ sink {
+ type = "file"
+ config = {
+ path = "/tmp/file-foo"
+ }
+ aad = "foobar"
+ dh_type = "curve25519"
+ dh_path = "/tmp/file-foo-dhpath"
+ }
+}
+
+vault {
+ address = "http://127.0.0.1:1111"
+}
diff --git a/command/agent/config/test-fixtures/config-disable-idle-connections-empty.hcl b/command/agent/config/test-fixtures/config-disable-idle-connections-empty.hcl
index 7197750a864e6..eb95310cedfff 100644
--- a/command/agent/config/test-fixtures/config-disable-idle-connections-empty.hcl
+++ b/command/agent/config/test-fixtures/config-disable-idle-connections-empty.hcl
@@ -1,5 +1,5 @@
pid_file = "./pidfile"
-disable_idle_connections = [""]
+disable_idle_connections = []
auto_auth {
method {