add agent-enable-quit annotation #330
Conversation
New annotation to enable the /agent/v1/quit endpoint on an injected agent. This option has no default, and will be set on the existing cache listener, or a new localhost listener with a basic cache stanza configured since that's required for an agent listener.
| // that's required for an agent listener. | ||
| if a.EnableQuit != nil { | ||
| if len(config.Listener) > 0 { | ||
| config.Listener[0].AgentAPI = &AgentAPI{ |
There was a problem hiding this comment.
In the vast majority of cases, there will only be 1 listener, but should we maybe set it on all listeners? Just choosing the first one seems surprising, and for users who want to finesse which listeners it is and isn't on, I think it's ok to not give them a dedicated annotation for that but let them fully define their own config.
There was a problem hiding this comment.
I don't think the injector can currently create a config with more than one listener, can it? I think the only way to inject an agent that has multiple listener is to specify the full config in a configmap, and in that case this code wouldn't be triggered.
But I can add a loop since it does look a little jarring to only reference listener[0] here.
There was a problem hiding this comment.
Oh I forgot about that - makes sense.
agent-inject/agent/config.go
Outdated
| // If EnableQuit has been set, set it on the listener. If a listener hasn't | ||
| // been defined, set it on a new one. Also add a simple cache stanza since | ||
| // that's required for an agent listener. | ||
| if a.EnableQuit != nil { |
There was a problem hiding this comment.
Do we need to do anything if it's false, given it defaults to false?
There was a problem hiding this comment.
Good question, and I went back and forth on this quite a bit. It would certainly be simpler to only set the enable_quit config if the annotation has been set to true, and maybe that's the best to do for now.
Currently EnableQuit is setup as a pointer so the config is set only if the annotation was specified (true or false), but since it defaults to false in the agent, just omitting the config setting here should be sufficient. And it's probably very unlikely that we'd ever default to enabling the quit endpoint on the vault agent side.
There was a problem hiding this comment.
Yeah I think that seems like a safe bet for now 👍
There was a problem hiding this comment.
Updated in b316106 to only set the config if EnableQuit is true.
Since the agent is defaulting to false, and it's very unlikely that will change. This also meant the Agent.EnableQuit field doesn't need to be a pointer any longer, so refactored that to make the logic a little simpler.
New annotation to enable the /agent/v1/quit endpoint on an injected agent. This option defaults to
false, and will be set iftrueon the existing cache listener, or a new localhost listener with a basic cache stanza configured since that's required for an agent listener.The agent-cache-listener-port annotation can be used to change the port.
Example Job: