Feat: static_secret_render_interval

hashicorp · Aug 4, 2021 · af73a1e · af73a1e
1 parent 11bd8dc
commit af73a1e
Show file tree

Hide file tree

Showing 8 changed files with 178 additions and 122 deletions.
diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go
@@ -4,33 +4,33 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strconv"
-	"strings"
-
 	"github.com/mattbaird/jsonpatch"
 	corev1 "k8s.io/api/core/v1"
+	"strconv"
+	"strings"
 )
 
 // TODO swap out 'github.com/mattbaird/jsonpatch' for 'github.com/evanphx/json-patch'
 
 const (
-	DefaultVaultImage                       = "hashicorp/vault:1.8.0"
-	DefaultVaultAuthType                    = "kubernetes"
-	DefaultVaultAuthPath                    = "auth/kubernetes"
-	DefaultAgentRunAsUser                   = 100
-	DefaultAgentRunAsGroup                  = 1000
-	DefaultAgentRunAsSameUser               = false
-	DefaultAgentAllowPrivilegeEscalation    = false
-	DefaultAgentDropCapabilities            = "ALL"
-	DefaultAgentSetSecurityContext          = true
-	DefaultAgentReadOnlyRoot                = true
-	DefaultAgentCacheEnable                 = "false"
-	DefaultAgentCacheUseAutoAuthToken       = "true"
-	DefaultAgentCacheListenerPort           = "8200"
-	DefaultAgentCacheExitOnErr              = false
-	DefaultAgentUseLeaderElector            = false
-	DefaultAgentInjectToken                 = false
-	DefaultTemplateConfigExitOnRetryFailure = true
+	DefaultVaultImage                               = "hashicorp/vault:1.8.0"
+	DefaultVaultAuthType                            = "kubernetes"
+	DefaultVaultAuthPath                            = "auth/kubernetes"
+	DefaultAgentRunAsUser                           = 100
+	DefaultAgentRunAsGroup                          = 1000
+	DefaultAgentRunAsSameUser                       = false
+	DefaultAgentAllowPrivilegeEscalation            = false
+	DefaultAgentDropCapabilities                    = "ALL"
+	DefaultAgentSetSecurityContext                  = true
+	DefaultAgentReadOnlyRoot                        = true
+	DefaultAgentCacheEnable                         = "false"
+	DefaultAgentCacheUseAutoAuthToken               = "true"
+	DefaultAgentCacheListenerPort                   = "8200"
+	DefaultAgentCacheExitOnErr                      = false
+	DefaultAgentUseLeaderElector                    = false
+	DefaultAgentInjectToken                         = false
+	DefaultTemplateConfigExitOnRetryFailure         = true
+	DefaultTemplateConfigStaticSecretRenderInterval = "5m"
 )
 
 // Agent is the top level structure holding all the
@@ -270,6 +270,10 @@ type VaultAgentTemplateConfig struct {
 	// ExitOnRetryFailure configures whether agent should exit after failing
 	// all its retry attempts when rendering templates
 	ExitOnRetryFailure bool
+
+	// StaticSecretRenderInterval If specified, configures how often
+	// Vault Agent Template should render non-leased secrets such as KV v2
+	StaticSecretRenderInterval string
 }
 
 // New creates a new instance of Agent by parsing all the Kubernetes annotations.
@@ -412,9 +416,14 @@ func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*Agent, erro
 	if err != nil {
 		return nil, err
 	}
+	staticSecretRenderInterval, err := agent.templateConfigStaticSecretRenderInterval()
+	if err != nil {
+		return nil, err
+	}
 
 	agent.VaultAgentTemplateConfig = VaultAgentTemplateConfig{
-		ExitOnRetryFailure: exitOnRetryFailure,
+		ExitOnRetryFailure:         exitOnRetryFailure,
+		StaticSecretRenderInterval: staticSecretRenderInterval,
 	}
 
 	return agent, nil

diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go
@@ -231,26 +231,32 @@ const (
 	// will exit on template render failures once it has exhausted all its retry
 	// attempts. Defaults to true.
 	AnnotationTemplateConfigExitOnRetryFailure = "vault.hashicorp.com/template-config-exit-on-retry-failure"
+
+	// AnnotationTemplateConfigStaticSecretRenderInterval
+	// If specified, configures how often Vault Agent Template should render non-leased secrets such as KV v2.
+	// Defaults to 5 minutes.
+	AnnotationTemplateConfigStaticSecretRenderInterval = "vault.hashicorp.com/template-config-static-secret-render-interval"
 )
 
 type AgentConfig struct {
-	Image              string
-	Address            string
-	AuthType           string
-	AuthPath           string
-	Namespace          string
-	RevokeOnShutdown   bool
-	UserID             string
-	GroupID            string
-	SameID             bool
-	SetSecurityContext bool
-	ProxyAddress       string
-	DefaultTemplate    string
-	ResourceRequestCPU string
-	ResourceRequestMem string
-	ResourceLimitCPU   string
-	ResourceLimitMem   string
-	ExitOnRetryFailure bool
+	Image                      string
+	Address                    string
+	AuthType                   string
+	AuthPath                   string
+	Namespace                  string
+	RevokeOnShutdown           bool
+	UserID                     string
+	GroupID                    string
+	SameID                     bool
+	SetSecurityContext         bool
+	ProxyAddress               string
+	DefaultTemplate            string
+	ResourceRequestCPU         string
+	ResourceRequestMem         string
+	ResourceLimitCPU           string
+	ResourceLimitMem           string
+	ExitOnRetryFailure         bool
+	StaticSecretRenderInterval string
 }
 
 // Init configures the expected annotations required to create a new instance
@@ -402,6 +408,9 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error {
 	if _, ok := pod.ObjectMeta.Annotations[AnnotationTemplateConfigExitOnRetryFailure]; !ok {
 		pod.ObjectMeta.Annotations[AnnotationTemplateConfigExitOnRetryFailure] = strconv.FormatBool(cfg.ExitOnRetryFailure)
 	}
+	if _, ok := pod.ObjectMeta.Annotations[AnnotationTemplateConfigStaticSecretRenderInterval]; !ok {
+		pod.ObjectMeta.Annotations[AnnotationTemplateConfigStaticSecretRenderInterval] = DefaultTemplateConfigStaticSecretRenderInterval
+	}
 
 	return nil
 }
@@ -600,6 +609,15 @@ func (a *Agent) templateConfigExitOnRetryFailure() (bool, error) {
 	return strconv.ParseBool(raw)
 }
 
+func (a *Agent) templateConfigStaticSecretRenderInterval() (string, error) {
+	raw, ok := a.Annotations[AnnotationTemplateConfigStaticSecretRenderInterval]
+	if !ok {
+		return DefaultTemplateConfigStaticSecretRenderInterval, nil
+	}
+
+	return raw, nil
+}
+
 func (a *Agent) cachePersist(cacheEnabled bool) bool {
 	if cacheEnabled && a.PrePopulate && !a.PrePopulateOnly {
 		return true

diff --git a/agent-inject/agent/config.go b/agent-inject/agent/config.go
@@ -103,7 +103,8 @@ type CachePersist struct {
 
 // TemplateConfig defines the configuration for template_config in Vault Agent
 type TemplateConfig struct {
-	ExitOnRetryFailure bool `json:"exit_on_retry_failure"`
+	ExitOnRetryFailure         bool   `json:"exit_on_retry_failure"`
+	StaticSecretRenderInterval string `json:"static_secret_render_interval"`
 }
 
 func (a *Agent) newTemplateConfigs() []*Template {
@@ -173,6 +174,7 @@ func (a *Agent) newConfig(init bool) ([]byte, error) {
 		Templates: a.newTemplateConfigs(),
 		TemplateConfig: &TemplateConfig{
 			ExitOnRetryFailure: a.VaultAgentTemplateConfig.ExitOnRetryFailure,
+			StaticSecretRenderInterval: a.VaultAgentTemplateConfig.StaticSecretRenderInterval,
 		},
 	}
 

diff --git a/agent-inject/agent/config_test.go b/agent-inject/agent/config_test.go
@@ -458,19 +458,31 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 			map[string]string{
 				AnnotationTemplateConfigExitOnRetryFailure: "true",
 			},
-			&TemplateConfig{ExitOnRetryFailure: true},
+			&TemplateConfig{ExitOnRetryFailure: true, StaticSecretRenderInterval: "5m"},
 		},
 		{
 			"exit_on_retry_failure false",
 			map[string]string{
 				AnnotationTemplateConfigExitOnRetryFailure: "false",
 			},
-			&TemplateConfig{ExitOnRetryFailure: false},
+			&TemplateConfig{ExitOnRetryFailure: false, StaticSecretRenderInterval: "5m"},
 		},
 		{
 			"exit_on_retry_failure absent",
 			map[string]string{},
-			&TemplateConfig{ExitOnRetryFailure: true},
+			&TemplateConfig{ExitOnRetryFailure: true, StaticSecretRenderInterval: "5m"},
+		},
+		{
+			"static_secret_render_interval absent",
+			map[string]string{},
+			&TemplateConfig{ExitOnRetryFailure: true, StaticSecretRenderInterval: "5m"},
+		},
+		{
+			"static_secret_render_interval 10s",
+			map[string]string{
+				AnnotationTemplateConfigStaticSecretRenderInterval: "10s",
+			},
+			&TemplateConfig{ExitOnRetryFailure: true, StaticSecretRenderInterval: "10s"},
 		},
 	}
 

diff --git a/agent-inject/handler.go b/agent-inject/handler.go
@@ -35,25 +35,26 @@ var (
 type Handler struct {
 	// RequireAnnotation means that the annotation must be given to inject.
 	// If this is false, injection is default.
-	RequireAnnotation  bool
-	VaultAddress       string
-	VaultAuthType      string
-	VaultAuthPath      string
-	ProxyAddress       string
-	ImageVault         string
-	Clientset          *kubernetes.Clientset
-	Log                hclog.Logger
-	RevokeOnShutdown   bool
-	UserID             string
-	GroupID            string
-	SameID             bool
-	SetSecurityContext bool
-	DefaultTemplate    string
-	ResourceRequestCPU string
-	ResourceRequestMem string
-	ResourceLimitCPU   string
-	ResourceLimitMem   string
-	ExitOnRetryFailure bool
+	RequireAnnotation          bool
+	VaultAddress               string
+	VaultAuthType              string
+	VaultAuthPath              string
+	ProxyAddress               string
+	ImageVault                 string
+	Clientset                  *kubernetes.Clientset
+	Log                        hclog.Logger
+	RevokeOnShutdown           bool
+	UserID                     string
+	GroupID                    string
+	SameID                     bool
+	SetSecurityContext         bool
+	DefaultTemplate            string
+	ResourceRequestCPU         string
+	ResourceRequestMem         string
+	ResourceLimitCPU           string
+	ResourceLimitMem           string
+	ExitOnRetryFailure         bool
+	StaticSecretRenderInterval string
 }
 
 // Handle is the http.HandlerFunc implementation that actually handles the
@@ -149,23 +150,24 @@ func (h *Handler) Mutate(req *admissionv1.AdmissionRequest) *admissionv1.Admissi
 	h.Log.Debug("setting default annotations..")
 	var patches []*jsonpatch.JsonPatchOperation
 	cfg := agent.AgentConfig{
-		Image:              h.ImageVault,
-		Address:            h.VaultAddress,
-		AuthType:           h.VaultAuthType,
-		AuthPath:           h.VaultAuthPath,
-		ProxyAddress:       h.ProxyAddress,
-		Namespace:          req.Namespace,
-		RevokeOnShutdown:   h.RevokeOnShutdown,
-		UserID:             h.UserID,
-		GroupID:            h.GroupID,
-		SameID:             h.SameID,
-		SetSecurityContext: h.SetSecurityContext,
-		DefaultTemplate:    h.DefaultTemplate,
-		ResourceRequestCPU: h.ResourceRequestCPU,
-		ResourceRequestMem: h.ResourceRequestMem,
-		ResourceLimitCPU:   h.ResourceLimitCPU,
-		ResourceLimitMem:   h.ResourceLimitMem,
-		ExitOnRetryFailure: h.ExitOnRetryFailure,
+		Image:                      h.ImageVault,
+		Address:                    h.VaultAddress,
+		AuthType:                   h.VaultAuthType,
+		AuthPath:                   h.VaultAuthPath,
+		ProxyAddress:               h.ProxyAddress,
+		Namespace:                  req.Namespace,
+		RevokeOnShutdown:           h.RevokeOnShutdown,
+		UserID:                     h.UserID,
+		GroupID:                    h.GroupID,
+		SameID:                     h.SameID,
+		SetSecurityContext:         h.SetSecurityContext,
+		DefaultTemplate:            h.DefaultTemplate,
+		ResourceRequestCPU:         h.ResourceRequestCPU,
+		ResourceRequestMem:         h.ResourceRequestMem,
+		ResourceLimitCPU:           h.ResourceLimitCPU,
+		ResourceLimitMem:           h.ResourceLimitMem,
+		ExitOnRetryFailure:         h.ExitOnRetryFailure,
+		StaticSecretRenderInterval: h.StaticSecretRenderInterval,
 	}
 	err = agent.Init(&pod, cfg)
 	if err != nil {