Enable persistent agent caching #229
Conversation
If caching enabled, and both init and sidecar will be injected.
agent-inject/agent/agent.go
Outdated
| ExitOnErr: agentCacheExitOnErr, | ||
| } | ||
| agent.VaultAgentCache.Persist = agent.agentCachePersist() |
There was a problem hiding this comment.
| ExitOnErr: agentCacheExitOnErr, | |
| } | |
| agent.VaultAgentCache.Persist = agent.agentCachePersist() | |
| ExitOnErr: agentCacheExitOnErr, | |
| Persist: agent.agentCachePersist(), | |
| } |
There was a problem hiding this comment.
Yep, I reworked this a bit in 00f9152 to set it all in the struct, since agentCachePersist() also checks whether the cache is enabled.
agent-inject/agent/annotations.go
Outdated
| @@ -550,6 +558,22 @@ func (a *Agent) agentCacheEnable() (bool, error) { | |||
| return strconv.ParseBool(raw) | |||
| } | |||
|
|
|||
| func (a *Agent) agentCachePersist() bool { | |||
There was a problem hiding this comment.
Nit: the caller is *Agent in here so you could rename this to cachePersist (same with the func below).
agent-inject/agent/annotations.go
Outdated
| @@ -550,6 +558,22 @@ func (a *Agent) agentCacheEnable() (bool, error) { | |||
| return strconv.ParseBool(raw) | |||
| } | |||
|
|
|||
| func (a *Agent) agentCachePersist() bool { | |||
| if a.VaultAgentCache.Enable && a.PrePopulate && !a.PrePopulateOnly { | |||
There was a problem hiding this comment.
Determining whether we need persist like so may be fine for now, though I do wonder if we'd have to expose this through annotations down the road.
| @@ -306,8 +308,8 @@ func TestConfigVaultAgentCache(t *testing.T) { | |||
| t.Error("agent Cache should be enabled") | |||
| } | |||
|
|
|||
| if config.Cache.UseAuthAuthToken != "force" { | |||
| t.Errorf("agent Cache use_auto_auth_token should be 'force', got %s instead", config.Cache.UseAuthAuthToken) | |||
| if config.Cache.UseAutoAuthToken != "force" { | |||
Removing some of the stutter from agent functions, and setting Persist directly.
|
FWIW, I also tested these changes with the current version of vault-agent (1.6.3), and the extra persist cache config is ignored without errors. So for someone using a pre-1.7 vault-agent, the main difference is the init container's vault-agent will also have caching enabled (as opposed to just the sidecar), but pre-1.7 this is just memory cache, so it shouldn't change behavior for users. |
Controlled by the "vault.hashicorp.com/agent-cache-enable" annotation, with a few caveats: If "vault.hashicorp.com/agent-cache-enable": "true", ...and if init and sidecar enabled, persistent caching enabled ...and if sidecar only, just memory caching without persistence enabled ...and if init only, no caching at all When persistent caching is enabled, a `vault-agent-cache` memory volume is mounted at `/vault/agent-cache` on the init and sidecar containers.
Adds support for persistent agent caching introduced in hashicorp/vault#10938
Controlled by the "vault.hashicorp.com/agent-cache-enable" annotation, with a few caveats:
If "vault.hashicorp.com/agent-cache-enable": "true",
When persistent caching is enabled, a
vault-agent-cachememory volume is mounted at/vault/agent-cacheon the init and sidecar containers.Also adds an annotation "vault.hashicorp.com/agent-cache-exit-on-err", which corresponds to the exit_on_err config setting introduced in hashicorp/vault#10938. Controls whether the agent will exit on an error while restoring the persistent cache.