Feat: static_secret_render_interval (hashicorp#276)

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

agent-inject/agent/agent.go

@@ -273,6 +273,10 @@ type VaultAgentTemplateConfig struct {
 	// ExitOnRetryFailure configures whether agent should exit after failing
 	// all its retry attempts when rendering templates
 	ExitOnRetryFailure bool
+
+	// StaticSecretRenderInterval If specified, configures how often
+	// Vault Agent Template should render non-leased secrets such as KV v2
+	StaticSecretRenderInterval string
 }
 
 // New creates a new instance of Agent by parsing all the Kubernetes annotations.
@@ -417,7 +421,8 @@ func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*Agent, erro
 	}
 
 	agent.VaultAgentTemplateConfig = VaultAgentTemplateConfig{
-		ExitOnRetryFailure: exitOnRetryFailure,
+		ExitOnRetryFailure:         exitOnRetryFailure,
+		StaticSecretRenderInterval: pod.Annotations[AnnotationTemplateConfigStaticSecretRenderInterval],
 	}
 
 	return agent, nil

agent-inject/agent/annotations.go

@@ -239,26 +239,32 @@ const (
 	// will exit on template render failures once it has exhausted all its retry
 	// attempts. Defaults to true.
 	AnnotationTemplateConfigExitOnRetryFailure = "vault.hashicorp.com/template-config-exit-on-retry-failure"
+
+	// AnnotationTemplateConfigStaticSecretRenderInterval
+	// If specified, configures how often Vault Agent Template should render non-leased secrets such as KV v2.
+	// Defaults to 5 minutes.
+	AnnotationTemplateConfigStaticSecretRenderInterval = "vault.hashicorp.com/template-static-secret-render-interval"
 )
 
 type AgentConfig struct {
-	Image              string
-	Address            string
-	AuthType           string
-	AuthPath           string
-	Namespace          string
-	RevokeOnShutdown   bool
-	UserID             string
-	GroupID            string
-	SameID             bool
-	SetSecurityContext bool
-	ProxyAddress       string
-	DefaultTemplate    string
-	ResourceRequestCPU string
-	ResourceRequestMem string
-	ResourceLimitCPU   string
-	ResourceLimitMem   string
-	ExitOnRetryFailure bool
+	Image                      string
+	Address                    string
+	AuthType                   string
+	AuthPath                   string
+	Namespace                  string
+	RevokeOnShutdown           bool
+	UserID                     string
+	GroupID                    string
+	SameID                     bool
+	SetSecurityContext         bool
+	ProxyAddress               string
+	DefaultTemplate            string
+	ResourceRequestCPU         string
+	ResourceRequestMem         string
+	ResourceLimitCPU           string
+	ResourceLimitMem           string
+	ExitOnRetryFailure         bool
+	StaticSecretRenderInterval string
 }
 
 // Init configures the expected annotations required to create a new instance
@@ -410,6 +416,9 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error {
 	if _, ok := pod.ObjectMeta.Annotations[AnnotationTemplateConfigExitOnRetryFailure]; !ok {
 		pod.ObjectMeta.Annotations[AnnotationTemplateConfigExitOnRetryFailure] = strconv.FormatBool(cfg.ExitOnRetryFailure)
 	}
+	if _, ok := pod.ObjectMeta.Annotations[AnnotationTemplateConfigStaticSecretRenderInterval]; !ok {
+		pod.ObjectMeta.Annotations[AnnotationTemplateConfigStaticSecretRenderInterval] = cfg.StaticSecretRenderInterval
+	}
 
 	return nil
 }

agent-inject/agent/config.go

@@ -104,7 +104,8 @@ type CachePersist struct {
 
 // TemplateConfig defines the configuration for template_config in Vault Agent
 type TemplateConfig struct {
-	ExitOnRetryFailure bool `json:"exit_on_retry_failure"`
+	ExitOnRetryFailure         bool   `json:"exit_on_retry_failure"`
+	StaticSecretRenderInterval string `json:"static_secret_render_interval,omitempty"`
 }
 
 func (a *Agent) newTemplateConfigs() []*Template {
@@ -177,6 +178,7 @@ func (a *Agent) newConfig(init bool) ([]byte, error) {
 		Templates: a.newTemplateConfigs(),
 		TemplateConfig: &TemplateConfig{
 			ExitOnRetryFailure: a.VaultAgentTemplateConfig.ExitOnRetryFailure,
+			StaticSecretRenderInterval: a.VaultAgentTemplateConfig.StaticSecretRenderInterval,
 		},
 	}
 

agent-inject/agent/config_test.go

@@ -560,7 +560,14 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 			&TemplateConfig{ExitOnRetryFailure: false},
 		},
 		{
-			"exit_on_retry_failure absent",
+			"static_secret_render_interval 10s",
+			map[string]string{
+				AnnotationTemplateConfigStaticSecretRenderInterval: "10s",
+			},
+			&TemplateConfig{ExitOnRetryFailure: true, StaticSecretRenderInterval: "10s"},
+		},
+		{
+			"template_config_empty",
 			map[string]string{},
 			&TemplateConfig{ExitOnRetryFailure: true},
 		},

agent-inject/handler.go

@@ -35,25 +35,26 @@ var (
 type Handler struct {
 	// RequireAnnotation means that the annotation must be given to inject.
 	// If this is false, injection is default.
-	RequireAnnotation  bool
-	VaultAddress       string
-	VaultAuthType      string
-	VaultAuthPath      string
-	ProxyAddress       string
-	ImageVault         string
-	Clientset          *kubernetes.Clientset
-	Log                hclog.Logger
-	RevokeOnShutdown   bool
-	UserID             string
-	GroupID            string
-	SameID             bool
-	SetSecurityContext bool
-	DefaultTemplate    string
-	ResourceRequestCPU string
-	ResourceRequestMem string
-	ResourceLimitCPU   string
-	ResourceLimitMem   string
-	ExitOnRetryFailure bool
+	RequireAnnotation          bool
+	VaultAddress               string
+	VaultAuthType              string
+	VaultAuthPath              string
+	ProxyAddress               string
+	ImageVault                 string
+	Clientset                  *kubernetes.Clientset
+	Log                        hclog.Logger
+	RevokeOnShutdown           bool
+	UserID                     string
+	GroupID                    string
+	SameID                     bool
+	SetSecurityContext         bool
+	DefaultTemplate            string
+	ResourceRequestCPU         string
+	ResourceRequestMem         string
+	ResourceLimitCPU           string
+	ResourceLimitMem           string
+	ExitOnRetryFailure         bool
+	StaticSecretRenderInterval string
 }
 
 // Handle is the http.HandlerFunc implementation that actually handles the
@@ -149,23 +150,24 @@ func (h *Handler) Mutate(req *admissionv1.AdmissionRequest) *admissionv1.Admissi
 	h.Log.Debug("setting default annotations..")
 	var patches []*jsonpatch.JsonPatchOperation
 	cfg := agent.AgentConfig{
-		Image:              h.ImageVault,
-		Address:            h.VaultAddress,
-		AuthType:           h.VaultAuthType,
-		AuthPath:           h.VaultAuthPath,
-		ProxyAddress:       h.ProxyAddress,
-		Namespace:          req.Namespace,
-		RevokeOnShutdown:   h.RevokeOnShutdown,
-		UserID:             h.UserID,
-		GroupID:            h.GroupID,
-		SameID:             h.SameID,
-		SetSecurityContext: h.SetSecurityContext,
-		DefaultTemplate:    h.DefaultTemplate,
-		ResourceRequestCPU: h.ResourceRequestCPU,
-		ResourceRequestMem: h.ResourceRequestMem,
-		ResourceLimitCPU:   h.ResourceLimitCPU,
-		ResourceLimitMem:   h.ResourceLimitMem,
-		ExitOnRetryFailure: h.ExitOnRetryFailure,
+		Image:                      h.ImageVault,
+		Address:                    h.VaultAddress,
+		AuthType:                   h.VaultAuthType,
+		AuthPath:                   h.VaultAuthPath,
+		ProxyAddress:               h.ProxyAddress,
+		Namespace:                  req.Namespace,
+		RevokeOnShutdown:           h.RevokeOnShutdown,
+		UserID:                     h.UserID,
+		GroupID:                    h.GroupID,
+		SameID:                     h.SameID,
+		SetSecurityContext:         h.SetSecurityContext,
+		DefaultTemplate:            h.DefaultTemplate,
+		ResourceRequestCPU:         h.ResourceRequestCPU,
+		ResourceRequestMem:         h.ResourceRequestMem,
+		ResourceLimitCPU:           h.ResourceLimitCPU,
+		ResourceLimitMem:           h.ResourceLimitMem,
+		ExitOnRetryFailure:         h.ExitOnRetryFailure,
+		StaticSecretRenderInterval: h.StaticSecretRenderInterval,
 	}
 	err = agent.Init(&pod, cfg)
 	if err != nil {

subcommand/injector/command.go

@@ -34,31 +34,32 @@ import (
 type Command struct {
 	UI cli.Ui
 
-	flagListen             string // Address of Vault Server
-	flagLogLevel           string // Log verbosity
-	flagLogFormat          string // Log format
-	flagCertFile           string // TLS Certificate to serve
-	flagKeyFile            string // TLS private key to serve
-	flagExitOnRetryFailure bool   // Set template_config.exit_on_retry_failure on agent
-	flagAutoName           string // MutatingWebhookConfiguration for updating
-	flagAutoHosts          string // SANs for the auto-generated TLS cert.
-	flagVaultService       string // Name of the Vault service
-	flagProxyAddress       string // HTTP proxy address used to talk to the Vault service
-	flagVaultImage         string // Name of the Vault Image to use
-	flagVaultAuthType      string // Type of Vault Auth Method to use
-	flagVaultAuthPath      string // Mount path of the Vault Auth Method
-	flagRevokeOnShutdown   bool   // Revoke Vault Token on pod shutdown
-	flagRunAsUser          string // User (uid) to run Vault agent as
-	flagRunAsGroup         string // Group (gid) to run Vault agent as
-	flagRunAsSameUser      bool   // Run Vault agent as the User (uid) of the first application container
-	flagSetSecurityContext bool   // Set SecurityContext in injected containers
-	flagTelemetryPath      string // Path under which to expose metrics
-	flagUseLeaderElector   bool   // Use leader elector code
-	flagDefaultTemplate    string // Toggles which default template to use
-	flagResourceRequestCPU string // Set CPU request in the injected containers
-	flagResourceRequestMem string // Set Memory request in the injected containers
-	flagResourceLimitCPU   string // Set CPU limit in the injected containers
-	flagResourceLimitMem   string // Set Memory limit in the injected containers
+	flagListen                     string // Address of Vault Server
+	flagLogLevel                   string // Log verbosity
+	flagLogFormat                  string // Log format
+	flagCertFile                   string // TLS Certificate to serve
+	flagKeyFile                    string // TLS private key to serve
+	flagExitOnRetryFailure         bool   // Set template_config.exit_on_retry_failure on agent
+	flagStaticSecretRenderInterval string // Set template_config.static_secret_render_interval on agent
+	flagAutoName                   string // MutatingWebhookConfiguration for updating
+	flagAutoHosts                  string // SANs for the auto-generated TLS cert.
+	flagVaultService               string // Name of the Vault service
+	flagProxyAddress               string // HTTP proxy address used to talk to the Vault service
+	flagVaultImage                 string // Name of the Vault Image to use
+	flagVaultAuthType              string // Type of Vault Auth Method to use
+	flagVaultAuthPath              string // Mount path of the Vault Auth Method
+	flagRevokeOnShutdown           bool   // Revoke Vault Token on pod shutdown
+	flagRunAsUser                  string // User (uid) to run Vault agent as
+	flagRunAsGroup                 string // Group (gid) to run Vault agent as
+	flagRunAsSameUser              bool   // Run Vault agent as the User (uid) of the first application container
+	flagSetSecurityContext         bool   // Set SecurityContext in injected containers
+	flagTelemetryPath              string // Path under which to expose metrics
+	flagUseLeaderElector           bool   // Use leader elector code
+	flagDefaultTemplate            string // Toggles which default template to use
+	flagResourceRequestCPU         string // Set CPU request in the injected containers
+	flagResourceRequestMem         string // Set Memory request in the injected containers
+	flagResourceLimitCPU           string // Set CPU limit in the injected containers
+	flagResourceLimitMem           string // Set Memory limit in the injected containers
 
 	flagSet *flag.FlagSet
 
@@ -160,25 +161,26 @@ func (c *Command) Run(args []string) int {
 
 	// Build the HTTP handler and server
 	injector := agentInject.Handler{
-		VaultAddress:       c.flagVaultService,
-		VaultAuthType:      c.flagVaultAuthType,
-		VaultAuthPath:      c.flagVaultAuthPath,
-		ProxyAddress:       c.flagProxyAddress,
-		ImageVault:         c.flagVaultImage,
-		Clientset:          clientset,
-		RequireAnnotation:  true,
-		Log:                logger,
-		RevokeOnShutdown:   c.flagRevokeOnShutdown,
-		UserID:             c.flagRunAsUser,
-		GroupID:            c.flagRunAsGroup,
-		SameID:             c.flagRunAsSameUser,
-		SetSecurityContext: c.flagSetSecurityContext,
-		DefaultTemplate:    c.flagDefaultTemplate,
-		ResourceRequestCPU: c.flagResourceRequestCPU,
-		ResourceRequestMem: c.flagResourceRequestMem,
-		ResourceLimitCPU:   c.flagResourceLimitCPU,
-		ResourceLimitMem:   c.flagResourceLimitMem,
-		ExitOnRetryFailure: c.flagExitOnRetryFailure,
+		VaultAddress:               c.flagVaultService,
+		VaultAuthType:              c.flagVaultAuthType,
+		VaultAuthPath:              c.flagVaultAuthPath,
+		ProxyAddress:               c.flagProxyAddress,
+		ImageVault:                 c.flagVaultImage,
+		Clientset:                  clientset,
+		RequireAnnotation:          true,
+		Log:                        logger,
+		RevokeOnShutdown:           c.flagRevokeOnShutdown,
+		UserID:                     c.flagRunAsUser,
+		GroupID:                    c.flagRunAsGroup,
+		SameID:                     c.flagRunAsSameUser,
+		SetSecurityContext:         c.flagSetSecurityContext,
+		DefaultTemplate:            c.flagDefaultTemplate,
+		ResourceRequestCPU:         c.flagResourceRequestCPU,
+		ResourceRequestMem:         c.flagResourceRequestMem,
+		ResourceLimitCPU:           c.flagResourceLimitCPU,
+		ResourceLimitMem:           c.flagResourceLimitMem,
+		ExitOnRetryFailure:         c.flagExitOnRetryFailure,
+		StaticSecretRenderInterval: c.flagStaticSecretRenderInterval,
 	}
 
 	mux := http.NewServeMux()

subcommand/injector/flags.go

@@ -34,6 +34,10 @@ type Specification struct {
 	// AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE environment variable.
 	TemplateConfigExitOnRetryFailure string `split_words:"true"`
 
+	// TemplateConfigStaticSecretRenderInterval is the
+	// AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL environment variable.
+	TemplateConfigStaticSecretRenderInterval string `envconfig:"AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL"`
+
 	// TLSAuto is the AGENT_INJECT_TLS_AUTO environment variable.
 	TLSAuto string `envconfig:"tls_auto"`
 
@@ -107,6 +111,8 @@ func (c *Command) init() {
 		`Supported log formats: "standard", "json".`)
 	c.flagSet.BoolVar(&c.flagExitOnRetryFailure, "template-config-exit-on-retry-failure", agent.DefaultTemplateConfigExitOnRetryFailure,
 		fmt.Sprintf("Value for Agent's template_config.exit_on_retry_failure. Defaults to %t.", agent.DefaultTemplateConfigExitOnRetryFailure))
+	c.flagSet.StringVar(&c.flagStaticSecretRenderInterval, "template-static-secret-render-interval", "",
+		"Value for Agent's template_config.exit_on_retry_failure.")
 	c.flagSet.StringVar(&c.flagAutoName, "tls-auto", "",
 		"MutatingWebhookConfiguration name. If specified, will auto generate cert bundle.")
 	c.flagSet.StringVar(&c.flagAutoHosts, "tls-auto-hosts", "",
@@ -205,6 +211,10 @@ func (c *Command) parseEnvs() error {
 		}
 	}
 
+	if envs.TemplateConfigStaticSecretRenderInterval != "" {
+		c.flagStaticSecretRenderInterval = envs.TemplateConfigStaticSecretRenderInterval
+	}
+
 	if envs.TLSAuto != "" {
 		c.flagAutoName = envs.TLSAuto
 	}

subcommand/injector/flags_test.go

@@ -130,6 +130,7 @@ func TestCommandEnvs(t *testing.T) {
 		{env: "AGENT_INJECT_MEM_REQUEST", value: "256m", cmdPtr: &cmd.flagResourceRequestMem},
 		{env: "AGENT_INJECT_CPU_LIMIT", value: "1000m", cmdPtr: &cmd.flagResourceLimitCPU},
 		{env: "AGENT_INJECT_MEM_LIMIT", value: "256m", cmdPtr: &cmd.flagResourceLimitMem},
+		{env: "AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL", value: "12s", cmdPtr: &cmd.flagStaticSecretRenderInterval},
 	}
 
 	for _, tt := range tests {