Add LeaseRenewalThreshold to Agent Injector

CHANGELOG.md

@@ -1,4 +1,6 @@
 ## Unreleased
+Features:
+* Add support for `lease_renewal_threshold ` within Agent injector [GH-721](https://github.com/hashicorp/vault-k8s/pull/721)
 
 ## 1.6.1 (December 16, 2024)
 

agent-inject/agent/agent.go

@@ -17,26 +17,27 @@ import (
 )
 
 const (
-	DefaultVaultImage                       = "hashicorp/vault:1.18.2"
-	DefaultVaultAuthType                    = "kubernetes"
-	DefaultVaultAuthPath                    = "auth/kubernetes"
-	DefaultAgentRunAsUser                   = 100
-	DefaultAgentRunAsGroup                  = 1000
-	DefaultAgentRunAsSameUser               = false
-	DefaultAgentAllowPrivilegeEscalation    = false
-	DefaultAgentDropCapabilities            = "ALL"
-	DefaultAgentSetSecurityContext          = true
-	DefaultAgentReadOnlyRoot                = true
-	DefaultAgentCacheEnable                 = "false"
-	DefaultAgentCacheUseAutoAuthToken       = "true"
-	DefaultAgentCacheListenerPort           = "8200"
-	DefaultAgentCacheExitOnErr              = false
-	DefaultAgentUseLeaderElector            = false
-	DefaultAgentInjectToken                 = false
-	DefaultTemplateConfigExitOnRetryFailure = true
-	DefaultServiceAccountMount              = "/var/run/secrets/vault.hashicorp.com/serviceaccount"
-	DefaultEnableQuit                       = false
-	DefaultAutoAuthEnableOnExit             = false
+	DefaultVaultImage                          = "hashicorp/vault:1.18.2"
+	DefaultVaultAuthType                       = "kubernetes"
+	DefaultVaultAuthPath                       = "auth/kubernetes"
+	DefaultAgentRunAsUser                      = 100
+	DefaultAgentRunAsGroup                     = 1000
+	DefaultAgentRunAsSameUser                  = false
+	DefaultAgentAllowPrivilegeEscalation       = false
+	DefaultAgentDropCapabilities               = "ALL"
+	DefaultAgentSetSecurityContext             = true
+	DefaultAgentReadOnlyRoot                   = true
+	DefaultAgentCacheEnable                    = "false"
+	DefaultAgentCacheUseAutoAuthToken          = "true"
+	DefaultAgentCacheListenerPort              = "8200"
+	DefaultAgentCacheExitOnErr                 = false
+	DefaultAgentUseLeaderElector               = false
+	DefaultAgentInjectToken                    = false
+	DefaultTemplateConfigExitOnRetryFailure    = true
+	DefaultTemplateConfigLeaseRenewalThreshold = 0.9
+	DefaultServiceAccountMount                 = "/var/run/secrets/vault.hashicorp.com/serviceaccount"
+	DefaultEnableQuit                          = false
+	DefaultAutoAuthEnableOnExit                = false
 )
 
 // Agent is the top level structure holding all the
@@ -355,6 +356,11 @@ type VaultAgentTemplateConfig struct {
 	//  that the Vault Agent templating engine can use for a particular Vault host. This limit
 	//  includes connections in the dialing, active, and idle states.
 	MaxConnectionsPerHost int64
+
+	// LeaseRenewalThreshold configure how long Vault Agent's template
+	// engine should wait for to refresh dynamic, non-renewable leases, measured as
+	// a fraction of the lease duration.
+	LeaseRenewalThreshold float64
 }
 
 // New creates a new instance of Agent by parsing all the Kubernetes annotations.
@@ -526,10 +532,16 @@ func New(pod *corev1.Pod) (*Agent, error) {
 		return nil, err
 	}
 
+	leaseRenewalThreshold, err := agent.templateConfigLeaseRenewalThreshold()
+	if err != nil {
+		return nil, err
+	}
+
 	agent.VaultAgentTemplateConfig = VaultAgentTemplateConfig{
 		ExitOnRetryFailure:         exitOnRetryFailure,
 		StaticSecretRenderInterval: pod.Annotations[AnnotationTemplateConfigStaticSecretRenderInterval],
 		MaxConnectionsPerHost:      maxConnectionsPerHost,
+		LeaseRenewalThreshold:      leaseRenewalThreshold,
 	}
 
 	agent.EnableQuit, err = agent.getEnableQuit()

agent-inject/agent/annotations.go

@@ -295,6 +295,11 @@ const (
 	//  includes connections in the dialing, active, and idle states.
 	AnnotationTemplateConfigMaxConnectionsPerHost = "vault.hashicorp.com/template-max-connections-per-host"
 
+	// AnnotationTemplateConfigLeaseRenewalThreshold configure how long Vault Agent's template
+	// engine should wait for to refresh dynamic, non-renewable leases, measured as
+	// a fraction of the lease duration.
+	AnnotationTemplateConfigLeaseRenewalThreshold = "vault.hashicorp.com/template-config-lease-renewal-threshold"
+
 	// AnnotationAgentEnableQuit configures whether the quit endpoint is
 	// enabled in the injected agent config
 	AnnotationAgentEnableQuit = "vault.hashicorp.com/agent-enable-quit"
@@ -365,6 +370,7 @@ type AgentConfig struct {
 	ExitOnRetryFailure         bool
 	StaticSecretRenderInterval string
 	MaxConnectionsPerHost      int64
+	LeaseRenewalThreshold      float64
 	AuthMinBackoff             string
 	AuthMaxBackoff             string
 	DisableIdleConnections     string
@@ -553,6 +559,10 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error {
 		pod.ObjectMeta.Annotations[AnnotationTemplateConfigMaxConnectionsPerHost] = strconv.FormatInt(cfg.MaxConnectionsPerHost, 10)
 	}
 
+	if _, ok := pod.ObjectMeta.Annotations[AnnotationTemplateConfigLeaseRenewalThreshold]; !ok {
+		pod.ObjectMeta.Annotations[AnnotationTemplateConfigLeaseRenewalThreshold] = strconv.FormatFloat(cfg.LeaseRenewalThreshold, 'f', 2, 64)
+	}
+
 	if minBackoffString, ok := pod.ObjectMeta.Annotations[AnnotationAgentAuthMinBackoff]; ok {
 		if minBackoffString != "" {
 			_, err := time.ParseDuration(minBackoffString)
@@ -865,6 +875,17 @@ func (a *Agent) templateConfigMaxConnectionsPerHost() (int64, error) {
 	return parseutil.ParseInt(raw)
 }
 
+func (a *Agent) templateConfigLeaseRenewalThreshold() (float64, error) {
+	raw, ok := a.Annotations[AnnotationTemplateConfigLeaseRenewalThreshold]
+	if !ok {
+		return DefaultTemplateConfigLeaseRenewalThreshold, nil
+	}
+
+	// TODO: use parseutil
+	// Dependency: https://github.com/hashicorp/go-secure-stdlib/issues/152
+	return strconv.ParseFloat(raw, 64)
+}
+
 func (a *Agent) getAutoAuthExitOnError() (bool, error) {
 	raw, ok := a.Annotations[AnnotationAgentAutoAuthExitOnError]
 	if !ok {

agent-inject/agent/annotations_test.go

@@ -23,23 +23,24 @@ import (
 
 func basicAgentConfig() AgentConfig {
 	return AgentConfig{
-		Image:              "foobar-image",
-		Address:            "http://foobar:8200",
-		AuthType:           DefaultVaultAuthType,
-		AuthPath:           "test",
-		Namespace:          "test",
-		RevokeOnShutdown:   true,
-		UserID:             "100",
-		GroupID:            "1000",
-		SameID:             DefaultAgentRunAsSameUser,
-		SetSecurityContext: DefaultAgentSetSecurityContext,
-		ProxyAddress:       "http://proxy:3128",
-		DefaultTemplate:    DefaultTemplateType,
-		ResourceRequestCPU: DefaultResourceRequestCPU,
-		ResourceRequestMem: DefaultResourceRequestMem,
-		ResourceLimitCPU:   DefaultResourceLimitCPU,
-		ResourceLimitMem:   DefaultResourceLimitMem,
-		ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure,
+		Image:                 "foobar-image",
+		Address:               "http://foobar:8200",
+		AuthType:              DefaultVaultAuthType,
+		AuthPath:              "test",
+		Namespace:             "test",
+		RevokeOnShutdown:      true,
+		UserID:                "100",
+		GroupID:               "1000",
+		SameID:                DefaultAgentRunAsSameUser,
+		SetSecurityContext:    DefaultAgentSetSecurityContext,
+		ProxyAddress:          "http://proxy:3128",
+		DefaultTemplate:       DefaultTemplateType,
+		ResourceRequestCPU:    DefaultResourceRequestCPU,
+		ResourceRequestMem:    DefaultResourceRequestMem,
+		ResourceLimitCPU:      DefaultResourceLimitCPU,
+		ResourceLimitMem:      DefaultResourceLimitMem,
+		ExitOnRetryFailure:    DefaultTemplateConfigExitOnRetryFailure,
+		LeaseRenewalThreshold: DefaultTemplateConfigLeaseRenewalThreshold,
 	}
 }
 

agent-inject/agent/config.go

@@ -122,9 +122,10 @@ type CachePersist struct {
 
 // TemplateConfig defines the configuration for template_config in Vault Agent
 type TemplateConfig struct {
-	ExitOnRetryFailure         bool   `json:"exit_on_retry_failure"`
-	StaticSecretRenderInterval string `json:"static_secret_render_interval,omitempty"`
-	MaxConnectionsPerHost      int64  `json:"max_connections_per_host,omitempty"`
+	ExitOnRetryFailure         bool    `json:"exit_on_retry_failure"`
+	StaticSecretRenderInterval string  `json:"static_secret_render_interval,omitempty"`
+	MaxConnectionsPerHost      int64   `json:"max_connections_per_host,omitempty"`
+	LeaseRenewalThreshold      float64 `json:"lease_renewal_threshold,omitempty"`
 }
 
 // Telemetry defines the configuration for agent telemetry in Vault Agent.
@@ -267,6 +268,7 @@ func (a *Agent) newConfig(init bool) ([]byte, error) {
 			ExitOnRetryFailure:         a.VaultAgentTemplateConfig.ExitOnRetryFailure,
 			StaticSecretRenderInterval: a.VaultAgentTemplateConfig.StaticSecretRenderInterval,
 			MaxConnectionsPerHost:      a.VaultAgentTemplateConfig.MaxConnectionsPerHost,
+			LeaseRenewalThreshold:      a.VaultAgentTemplateConfig.LeaseRenewalThreshold,
 		},
 		DisableIdleConnections: a.DisableIdleConnections,
 		DisableKeepAlives:      a.DisableKeepAlives,

agent-inject/agent/config_test.go

@@ -642,6 +642,7 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 			&TemplateConfig{
 				ExitOnRetryFailure:    true,
 				MaxConnectionsPerHost: 0,
+				LeaseRenewalThreshold: 0.9,
 			},
 		},
 		{
@@ -652,6 +653,7 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 			&TemplateConfig{
 				ExitOnRetryFailure:    false,
 				MaxConnectionsPerHost: 0,
+				LeaseRenewalThreshold: 0.9,
 			},
 		},
 		{
@@ -663,6 +665,7 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 				ExitOnRetryFailure:         true,
 				StaticSecretRenderInterval: "10s",
 				MaxConnectionsPerHost:      0,
+				LeaseRenewalThreshold:      0.9,
 			},
 		},
 		{
@@ -673,6 +676,17 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 			&TemplateConfig{
 				ExitOnRetryFailure:    true,
 				MaxConnectionsPerHost: 100,
+				LeaseRenewalThreshold: 0.9,
+			},
+		},
+		{
+			"lease_renewal_threshold 0.5",
+			map[string]string{
+				AnnotationTemplateConfigLeaseRenewalThreshold: "0.5",
+			},
+			&TemplateConfig{
+				ExitOnRetryFailure:    true,
+				LeaseRenewalThreshold: 0.5,
 			},
 		},
 		{
@@ -681,6 +695,7 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 			&TemplateConfig{
 				ExitOnRetryFailure:    true,
 				MaxConnectionsPerHost: 0,
+				LeaseRenewalThreshold: 0.9,
 			},
 		},
 	}

agent-inject/handler.go

@@ -74,6 +74,7 @@ type Handler struct {
 	ExitOnRetryFailure         bool
 	StaticSecretRenderInterval string
 	MaxConnectionsPerHost      int64
+	LeaseRenewalThreshold      float64
 	AuthMinBackoff             string
 	AuthMaxBackoff             string
 	DisableIdleConnections     string
@@ -244,6 +245,7 @@ func (h *Handler) Mutate(req *admissionv1.AdmissionRequest) MutateResponse {
 		ExitOnRetryFailure:         h.ExitOnRetryFailure,
 		StaticSecretRenderInterval: h.StaticSecretRenderInterval,
 		MaxConnectionsPerHost:      h.MaxConnectionsPerHost,
+		LeaseRenewalThreshold:      h.LeaseRenewalThreshold,
 		AuthMinBackoff:             h.AuthMinBackoff,
 		AuthMaxBackoff:             h.AuthMaxBackoff,
 		DisableIdleConnections:     h.DisableIdleConnections,

subcommand/injector/command.go

@@ -45,44 +45,45 @@ import (
 type Command struct {
 	UI cli.Ui
 
-	flagListen                     string // Address of Vault Server
-	flagLogLevel                   string // Log verbosity
-	flagLogFormat                  string // Log format
-	flagCACertFile                 string // TLS CA Certificate to serve
-	flagCertFile                   string // TLS Certificate to serve
-	flagKeyFile                    string // TLS private key to serve
-	flagExitOnRetryFailure         bool   // Set template_config.exit_on_retry_failure on agent
-	flagStaticSecretRenderInterval string // Set template_config.static_secret_render_interval on agent
-	flagMaxConnectionsPerHost      int64  // Set template_config.max_connections_per_host on agent
-	flagAutoName                   string // MutatingWebhookConfiguration for updating
-	flagAutoHosts                  string // SANs for the auto-generated TLS cert.
-	flagVaultService               string // Name of the Vault service
-	flagVaultCACertBytes           string // CA Cert to trust for TLS with Vault.
-	flagProxyAddress               string // HTTP proxy address used to talk to the Vault service
-	flagVaultImage                 string // Name of the Vault Image to use
-	flagVaultAuthType              string // Type of Vault Auth Method to use
-	flagVaultAuthPath              string // Mount path of the Vault Auth Method
-	flagVaultNamespace             string // Vault enterprise namespace
-	flagRevokeOnShutdown           bool   // Revoke Vault Token on pod shutdown
-	flagRunAsUser                  string // User (uid) to run Vault agent as
-	flagRunAsGroup                 string // Group (gid) to run Vault agent as
-	flagRunAsSameUser              bool   // Run Vault agent as the User (uid) of the first application container
-	flagSetSecurityContext         bool   // Set SecurityContext in injected containers
-	flagTelemetryPath              string // Path under which to expose metrics
-	flagUseLeaderElector           bool   // Use leader elector code
-	flagDefaultTemplate            string // Toggles which default template to use
-	flagResourceRequestCPU         string // Set CPU request in the injected containers
-	flagResourceRequestMem         string // Set Memory request in the injected containers
-	flagResourceRequestEphemeral   string // Set Ephemeral Storage request in the injected containers
-	flagResourceLimitCPU           string // Set CPU limit in the injected containers
-	flagResourceLimitMem           string // Set Memory limit in the injected containers
-	flagResourceLimitEphemeral     string // Set Ephemeral storage limit in the injected containers
-	flagTLSMinVersion              string // Minimum TLS version supported by the webhook server
-	flagTLSCipherSuites            string // Comma-separated list of supported cipher suites
-	flagAuthMinBackoff             string // Auth min backoff on failure
-	flagAuthMaxBackoff             string // Auth min backoff on failure
-	flagDisableIdleConnections     string // Idle connections control
-	flagDisableKeepAlives          string // Keep-alives control
+	flagListen                     string  // Address of Vault Server
+	flagLogLevel                   string  // Log verbosity
+	flagLogFormat                  string  // Log format
+	flagCACertFile                 string  // TLS CA Certificate to serve
+	flagCertFile                   string  // TLS Certificate to serve
+	flagKeyFile                    string  // TLS private key to serve
+	flagExitOnRetryFailure         bool    // Set template_config.exit_on_retry_failure on agent
+	flagStaticSecretRenderInterval string  // Set template_config.static_secret_render_interval on agent
+	flagMaxConnectionsPerHost      int64   // Set template_config.max_connections_per_host on agent
+	flagLeaseRenewalThreshold      float64 // Set template_config.lease_renewal_threshold on agent
+	flagAutoName                   string  // MutatingWebhookConfiguration for updating
+	flagAutoHosts                  string  // SANs for the auto-generated TLS cert.
+	flagVaultService               string  // Name of the Vault service
+	flagVaultCACertBytes           string  // CA Cert to trust for TLS with Vault.
+	flagProxyAddress               string  // HTTP proxy address used to talk to the Vault service
+	flagVaultImage                 string  // Name of the Vault Image to use
+	flagVaultAuthType              string  // Type of Vault Auth Method to use
+	flagVaultAuthPath              string  // Mount path of the Vault Auth Method
+	flagVaultNamespace             string  // Vault enterprise namespace
+	flagRevokeOnShutdown           bool    // Revoke Vault Token on pod shutdown
+	flagRunAsUser                  string  // User (uid) to run Vault agent as
+	flagRunAsGroup                 string  // Group (gid) to run Vault agent as
+	flagRunAsSameUser              bool    // Run Vault agent as the User (uid) of the first application container
+	flagSetSecurityContext         bool    // Set SecurityContext in injected containers
+	flagTelemetryPath              string  // Path under which to expose metrics
+	flagUseLeaderElector           bool    // Use leader elector code
+	flagDefaultTemplate            string  // Toggles which default template to use
+	flagResourceRequestCPU         string  // Set CPU request in the injected containers
+	flagResourceRequestMem         string  // Set Memory request in the injected containers
+	flagResourceRequestEphemeral   string  // Set Ephemeral Storage request in the injected containers
+	flagResourceLimitCPU           string  // Set CPU limit in the injected containers
+	flagResourceLimitMem           string  // Set Memory limit in the injected containers
+	flagResourceLimitEphemeral     string  // Set Ephemeral storage limit in the injected containers
+	flagTLSMinVersion              string  // Minimum TLS version supported by the webhook server
+	flagTLSCipherSuites            string  // Comma-separated list of supported cipher suites
+	flagAuthMinBackoff             string  // Auth min backoff on failure
+	flagAuthMaxBackoff             string  // Auth min backoff on failure
+	flagDisableIdleConnections     string  // Idle connections control
+	flagDisableKeepAlives          string  // Keep-alives control
 
 	flagSet *flag.FlagSet
 
@@ -222,6 +223,7 @@ func (c *Command) Run(args []string) int {
 		ExitOnRetryFailure:         c.flagExitOnRetryFailure,
 		StaticSecretRenderInterval: c.flagStaticSecretRenderInterval,
 		MaxConnectionsPerHost:      c.flagMaxConnectionsPerHost,
+		LeaseRenewalThreshold:      c.flagLeaseRenewalThreshold,
 		AuthMinBackoff:             c.flagAuthMinBackoff,
 		AuthMaxBackoff:             c.flagAuthMaxBackoff,
 		DisableIdleConnections:     c.flagDisableIdleConnections,

subcommand/injector/flags.go

@@ -50,6 +50,10 @@ type Specification struct {
 	// AGENT_INJECT_TEMPLATE_MAX_CONNECTIONS_PER_HOST environment variable.
 	TemplateConfigMaxConnectionsPerHost string `envconfig:"AGENT_INJECT_TEMPLATE_MAX_CONNECTIONS_PER_HOST"`
 
+	// TemplateConfigLeaseRenewalThreshold is the
+	// AGENT_INJECT_TEMPLATE_LEASE_RENEWAL_THRESHOLD environment variable.
+	TemplateConfigLeaseRenewalThreshold string `envconfig:"AGENT_INJECT_TEMPLATE_LEASE_RENEWAL_THRESHOLD"`
+
 	// TLSAuto is the AGENT_INJECT_TLS_AUTO environment variable.
 	TLSAuto string `envconfig:"tls_auto"`
 
@@ -161,6 +165,8 @@ func (c *Command) init() {
 		fmt.Sprintf("Value for Agent's template_config.exit_on_retry_failure. Defaults to %t.", agent.DefaultTemplateConfigExitOnRetryFailure))
 	c.flagSet.StringVar(&c.flagStaticSecretRenderInterval, "template-static-secret-render-interval", "",
 		"Value for Agent's template_config.exit_on_retry_failure.")
+	c.flagSet.Float64Var(&c.flagLeaseRenewalThreshold, "template-config-lease-renewal-threshold", agent.DefaultTemplateConfigLeaseRenewalThreshold,
+		"Value for Agent's template_config.lease_renewal_threshold.")
 	c.flagSet.StringVar(&c.flagAutoName, "tls-auto", "",
 		"MutatingWebhookConfiguration name. If specified, will auto generate cert bundle.")
 	c.flagSet.StringVar(&c.flagAutoHosts, "tls-auto-hosts", "",
@@ -298,6 +304,15 @@ func (c *Command) parseEnvs() error {
 		}
 	}
 
+	if envs.TemplateConfigLeaseRenewalThreshold != "" {
+		// TODO: use parseutil
+		// Dependency: https://github.com/hashicorp/go-secure-stdlib/issues/152
+		c.flagLeaseRenewalThreshold, err = strconv.ParseFloat(envs.TemplateConfigLeaseRenewalThreshold, 64)
+		if err != nil {
+			return err
+		}
+	}
+
 	if envs.TLSAuto != "" {
 		c.flagAutoName = envs.TLSAuto
 	}