Add exit on error auto auth annotation

CHANGELOG.md

@@ -1,5 +1,8 @@
 ## Unreleased
 
+Features:
+* Support for setting [`exit_on_err`](https://github.com/hashicorp/vault/pull/17091) in the agent auto-auth method config [GH-400](https://github.com/hashicorp/vault-k8s/pull/400).
+
 ## 1.0.1 (October 24, 2022)
 
 Changes:

agent-inject/agent/agent.go

@@ -32,6 +32,7 @@ const (
 	DefaultTemplateConfigExitOnRetryFailure = true
 	DefaultServiceAccountMount              = "/var/run/secrets/vault.hashicorp.com/serviceaccount"
 	DefaultEnableQuit                       = false
+	DefaultAutoAuthEnableOnExit             = false
 )
 
 // Agent is the top level structure holding all the
@@ -177,6 +178,9 @@ type Agent struct {
 
 	// InitJsonPatch can be used to modify the agent-init container before it is created.
 	InitJsonPatch string
+
+	// AutoAuthExitOnError is used to control if a failure in the auto_auth method will cause the agent to exit or try indefinitely (the default).
+	AutoAuthExitOnError bool
 }
 
 type ServiceAccountTokenVolume struct {
@@ -488,6 +492,11 @@ func New(pod *corev1.Pod) (*Agent, error) {
 		agent.DisableKeepAlives = strings.Split(pod.Annotations[AnnotationAgentDisableKeepAlives], ",")
 	}
 
+	agent.AutoAuthExitOnError, err = agent.getAutoAuthExitOnError()
+	if err != nil {
+		return nil, err
+	}
+
 	return agent, nil
 }
 

agent-inject/agent/annotations.go

@@ -295,6 +295,9 @@ const (
 	// AnnotationAgentInitJsonPatch is used to specify a JSON patch to be applied to the agent init container before
 	// it is created.
 	AnnotationAgentInitJsonPatch = "vault.hashicorp.com/agent-init-json-patch"
+
+	// AnnotationAgentAutoAuthExitOnError is used to control if a failure in the auto_auth method will cause the agent to exit or try indefinitely (the default).
+	AnnotationAgentAutoAuthExitOnError = "vault.hashicorp.com/agent-auto-auth-exit-on-err"
 )
 
 type AgentConfig struct {
@@ -760,6 +763,14 @@ func (a *Agent) templateConfigExitOnRetryFailure() (bool, error) {
 	return strconv.ParseBool(raw)
 }
 
+func (a *Agent) getAutoAuthExitOnError() (bool, error) {
+	raw, ok := a.Annotations[AnnotationAgentAutoAuthExitOnError]
+	if !ok {
+		return DefaultAutoAuthEnableOnExit, nil
+	}
+	return strconv.ParseBool(raw)
+}
+
 func (a *Agent) getEnableQuit() (bool, error) {
 	raw, ok := a.Annotations[AnnotationAgentEnableQuit]
 	if !ok {

agent-inject/agent/annotations_test.go

@@ -1142,6 +1142,24 @@ func TestAuthMinMaxBackoff(t *testing.T) {
 	require.Equal(t, "10s", agent.Vault.AuthMaxBackoff, "expected 10s, got %v", agent.Vault.AuthMaxBackoff)
 }
 
+func TestAutoAuthExitOnError(t *testing.T) {
+	pod := testPod(map[string]string{
+		"vault.hashicorp.com/agent-auto-auth-exit-on-err": "true",
+	})
+	agentConfig := basicAgentConfig()
+	err := Init(pod, agentConfig)
+	if err != nil {
+		t.Errorf("got error, shouldn't have: %s", err)
+	}
+
+	agent, err := New(pod)
+	if err != nil {
+		t.Errorf("got error, shouldn't have: %s", err)
+	}
+
+	require.Equal(t, true, agent.AutoAuthExitOnError)
+}
+
 func TestDisableIdleConnections(t *testing.T) {
 	tests := map[string]struct {
 		annotations   map[string]string

agent-inject/agent/config.go

@@ -58,6 +58,7 @@ type Method struct {
 	MaxBackoff string                 `json:"max_backoff,omitempty"`
 	Namespace  string                 `json:"namespace,omitempty"`
 	Config     map[string]interface{} `json:"config,omitempty"`
+	ExitOnErr  bool                   `json:"exit_on_err,omitempty"`
 }
 
 // Sink defines a location to write the authenticated token
@@ -177,6 +178,7 @@ func (a *Agent) newConfig(init bool) ([]byte, error) {
 				Config:     a.Vault.AuthConfig,
 				MinBackoff: a.Vault.AuthMinBackoff,
 				MaxBackoff: a.Vault.AuthMaxBackoff,
+				ExitOnErr:  a.AutoAuthExitOnError,
 			},
 			Sinks: []*Sink{
 				{