Support disable_keep_alives

Follow up for hashicorp/vault#16479, which
added support for `disable_keep_alives`

This is used very similarly to `disable_idle_connections`, which was
added in #366

This adds the `disable_keep_alives` setting into the injected agent's
config, which can be specified per pod:

```yaml
metadata:
  annotations:
    vault.hashicorp.com/agent-disable-keep-alives: "auto-auth,caching,templating"
```

globally in the injector through the helm command when deploying:

```sh
helm install vault hashicorp/vault \
  --set injector.extraEnvironmentVars.AGENT_INJECT_DISABLE_KEEP_ALIVES="auto-auth\,caching\,templating"
```

or through the helm `values.yaml` file:

```yaml
injector:
  extraEnvironmentVars:
    AGENT_INJECT_DISABLE_KEEP_ALIVES: "auto-auth,caching,templating"
```

This was copied almost verbatim from #366, so thanks @tvoran :)

Co-authored-by: Theron Voran <[email protected]>

agent-inject/agent/agent.go

@@ -167,6 +167,9 @@ type Agent struct {
 	// DisableIdleConnections controls which Agent features have idle
 	// connections disabled
 	DisableIdleConnections []string
+
+	// DisableKeepAlives controls which Agent features have keep-alives disables.
+	DisableKeepAlives []string
 }
 
 type ServiceAccountTokenVolume struct {
@@ -471,6 +474,10 @@ func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*Agent, erro
 		agent.DisableIdleConnections = strings.Split(pod.Annotations[AnnotationAgentDisableIdleConnections], ",")
 	}
 
+	if pod.Annotations[AnnotationAgentDisableKeepAlives] != "" {
+		agent.DisableKeepAlives = strings.Split(pod.Annotations[AnnotationAgentDisableKeepAlives], ",")
+	}
+
 	return agent, nil
 }
 

agent-inject/agent/annotations.go

@@ -276,6 +276,11 @@ const (
 	// features in Vault Agent. Comma-separated string, with valid values auto-auth, caching,
 	// templating.
 	AnnotationAgentDisableIdleConnections = "vault.hashicorp.com/agent-disable-idle-connections"
+
+	// AnnotationAgentDisableKeepAlives specifies disabling keep-alives for various
+	// features in Vault Agent. Comma-separated string, with valid values auto-auth, caching,
+	// templating.
+	AnnotationAgentDisableKeepAlives = "vault.hashicorp.com/agent-disable-keep-alives"
 )
 
 type AgentConfig struct {
@@ -301,6 +306,7 @@ type AgentConfig struct {
 	AuthMinBackoff             string
 	AuthMaxBackoff             string
 	DisableIdleConnections     string
+	DisableKeepAlives          string
 }
 
 // Init configures the expected annotations required to create a new instance
@@ -501,6 +507,10 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error {
 		pod.ObjectMeta.Annotations[AnnotationAgentDisableIdleConnections] = cfg.DisableIdleConnections
 	}
 
+	if _, ok := pod.ObjectMeta.Annotations[AnnotationAgentDisableKeepAlives]; !ok {
+		pod.ObjectMeta.Annotations[AnnotationAgentDisableKeepAlives] = cfg.DisableKeepAlives
+	}
+
 	return nil
 }
 

agent-inject/agent/annotations_test.go

@@ -1189,3 +1189,39 @@ func TestDisableIdleConnections(t *testing.T) {
 		})
 	}
 }
+
+func TestDisableKeepAlives(t *testing.T) {
+	tests := map[string]struct {
+		annotations   map[string]string
+		expectedValue []string
+	}{
+		"full list": {
+			annotations: map[string]string{
+				"vault.hashicorp.com/agent-disable-keep-alives": "auto-auth,caching,templating",
+			},
+			expectedValue: []string{"auto-auth", "caching", "templating"},
+		},
+		"one": {
+			annotations: map[string]string{
+				"vault.hashicorp.com/agent-disable-keep-alives": "auto-auth",
+			},
+			expectedValue: []string{"auto-auth"},
+		},
+		"none": {
+			annotations:   map[string]string{},
+			expectedValue: nil,
+		},
+	}
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			pod := testPod(tc.annotations)
+			agentConfig := basicAgentConfig()
+			err := Init(pod, agentConfig)
+			require.NoError(t, err)
+			agent, err := New(pod, nil)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.expectedValue, agent.DisableKeepAlives)
+		})
+	}
+}

agent-inject/agent/config.go

@@ -28,6 +28,7 @@ type Config struct {
 	Cache                  *Cache          `json:"cache,omitempty"`
 	TemplateConfig         *TemplateConfig `json:"template_config,omitempty"`
 	DisableIdleConnections []string        `json:"disable_idle_connections,omitempty"`
+	DisableKeepAlives      []string        `json:"disable_keep_alives,omitempty"`
 }
 
 // Vault contains configuration for connecting to Vault servers
@@ -192,6 +193,7 @@ func (a *Agent) newConfig(init bool) ([]byte, error) {
 			StaticSecretRenderInterval: a.VaultAgentTemplateConfig.StaticSecretRenderInterval,
 		},
 		DisableIdleConnections: a.DisableIdleConnections,
+		DisableKeepAlives:      a.DisableKeepAlives,
 	}
 
 	if a.InjectToken {

agent-inject/handler.go

@@ -69,6 +69,7 @@ type Handler struct {
 	AuthMinBackoff             string
 	AuthMaxBackoff             string
 	DisableIdleConnections     string
+	DisableKeepAlives          string
 }
 
 // Handle is the http.HandlerFunc implementation that actually handles the
@@ -204,6 +205,7 @@ func (h *Handler) Mutate(req *admissionv1.AdmissionRequest) *admissionv1.Admissi
 		AuthMinBackoff:             h.AuthMinBackoff,
 		AuthMaxBackoff:             h.AuthMaxBackoff,
 		DisableIdleConnections:     h.DisableIdleConnections,
+		DisableKeepAlives:          h.DisableKeepAlives,
 	}
 	err = agent.Init(&pod, cfg)
 	if err != nil {

subcommand/injector/command.go

@@ -72,6 +72,7 @@ type Command struct {
 	flagAuthMinBackoff             string // Auth min backoff on failure
 	flagAuthMaxBackoff             string // Auth min backoff on failure
 	flagDisableIdleConnections     string // Idle connections control
+	flagDisableKeepAlives          string // Keep-alives control
 
 	flagSet *flag.FlagSet
 
@@ -209,6 +210,7 @@ func (c *Command) Run(args []string) int {
 		AuthMinBackoff:             c.flagAuthMinBackoff,
 		AuthMaxBackoff:             c.flagAuthMaxBackoff,
 		DisableIdleConnections:     c.flagDisableIdleConnections,
+		DisableKeepAlives:          c.flagDisableKeepAlives,
 	}
 
 	mux := http.NewServeMux()

subcommand/injector/flags.go

@@ -122,6 +122,9 @@ type Specification struct {
 
 	// DisableIdleConnections is the AGENT_INJECT_DISABLE_IDLE_CONNECTIONS environment variable
 	DisableIdleConnections string `split_words:"true"`
+
+	// DisableKeepAlives is the AGENT_INJECT_DISABLE_KEEP_ALIVES environment variable
+	DisableKeepAlives string `split_words:"true"`
 }
 
 func (c *Command) init() {
@@ -188,6 +191,8 @@ func (c *Command) init() {
 		"Sets the maximum backoff on auto-auth failure. Default is 5m")
 	c.flagSet.StringVar(&c.flagDisableIdleConnections, "disable-idle-connections", "",
 		"Comma-separated list of Vault features where idle connections should be disabled.")
+	c.flagSet.StringVar(&c.flagDisableKeepAlives, "disable-keep-alives", "",
+		"Comma-separated list of Vault features where keep-alives should be disabled.")
 
 	tlsVersions := []string{}
 	for v := range tlsutil.TLSLookup {
@@ -389,5 +394,9 @@ func (c *Command) parseEnvs() error {
 		c.flagDisableIdleConnections = envs.DisableIdleConnections
 	}
 
+	if envs.DisableKeepAlives != "" {
+		c.flagDisableKeepAlives = envs.DisableKeepAlives
+	}
+
 	return nil
 }

subcommand/injector/flags_test.go

@@ -137,6 +137,7 @@ func TestCommandEnvs(t *testing.T) {
 		{env: "AGENT_INJECT_AUTH_MIN_BACKOFF", value: "5s", cmdPtr: &cmd.flagAuthMinBackoff},
 		{env: "AGENT_INJECT_AUTH_MAX_BACKOFF", value: "5s", cmdPtr: &cmd.flagAuthMaxBackoff},
 		{env: "AGENT_INJECT_DISABLE_IDLE_CONNECTIONS", value: "auto-auth,caching,templating", cmdPtr: &cmd.flagDisableIdleConnections},
+		{env: "AGENT_INJECT_DISABLE_KEEP_ALIVES", value: "auto-auth,caching,templating", cmdPtr: &cmd.flagDisableKeepAlives},
 	}
 
 	for _, tt := range tests {