diff --git a/changelog/25212.txt b/changelog/25212.txt new file mode 100644 index 000000000000..bd1b74f5642a --- /dev/null +++ b/changelog/25212.txt @@ -0,0 +1,3 @@ +```release-note:improvement +agent: Added a new config option, `lease_renewal_threshold`, that controls the refresh rate of non-renewable leases in Agent's template engine. +``` diff --git a/command/agent/config/config.go b/command/agent/config/config.go index 0b14a3f098ca..d1597cece8fa 100644 --- a/command/agent/config/config.go +++ b/command/agent/config/config.go @@ -169,6 +169,7 @@ type TemplateConfig struct { StaticSecretRenderInt time.Duration `hcl:"-"` MaxConnectionsPerHostRaw interface{} `hcl:"max_connections_per_host"` MaxConnectionsPerHost int `hcl:"-"` + LeaseRenewalThreshold *float64 `hcl:"lease_renewal_threshold"` } type ExecConfig struct { diff --git a/command/agent/config/config_test.go b/command/agent/config/config_test.go index 6947f3590628..6c12ebe5def3 100644 --- a/command/agent/config/config_test.go +++ b/command/agent/config/config_test.go @@ -17,6 +17,10 @@ import ( "golang.org/x/exp/slices" ) +func FloatPtr(t float64) *float64 { + return &t +} + func TestLoadConfigFile_AgentCache(t *testing.T) { config, err := LoadConfigFile("./test-fixtures/config-cache.hcl") if err != nil { @@ -1046,6 +1050,7 @@ func TestLoadConfigFile_TemplateConfig(t *testing.T) { ExitOnRetryFailure: true, StaticSecretRenderInt: 1 * time.Minute, MaxConnectionsPerHost: 100, + LeaseRenewalThreshold: FloatPtr(0.8), }, }, "empty": { diff --git a/command/agent/config/test-fixtures/config-template_config.hcl b/command/agent/config/test-fixtures/config-template_config.hcl index 46c082a4228b..be6bd384d816 100644 --- a/command/agent/config/test-fixtures/config-template_config.hcl +++ b/command/agent/config/test-fixtures/config-template_config.hcl @@ -12,6 +12,7 @@ template_config { exit_on_retry_failure = true static_secret_render_interval = 60 max_connections_per_host = 100 + lease_renewal_threshold = 0.8 } template { diff --git a/command/agent/internal/ctmanager/runner_config.go b/command/agent/internal/ctmanager/runner_config.go index c19e2efef0a2..03b134dbcbd3 100644 --- a/command/agent/internal/ctmanager/runner_config.go +++ b/command/agent/internal/ctmanager/runner_config.go @@ -38,8 +38,12 @@ func NewConfig(mc ManagerConfig, templates ctconfig.TemplateConfigs) (*ctconfig. conf.Vault.Namespace = &mc.Namespace } - if mc.AgentConfig.TemplateConfig != nil && mc.AgentConfig.TemplateConfig.StaticSecretRenderInt != 0 { - conf.Vault.DefaultLeaseDuration = &mc.AgentConfig.TemplateConfig.StaticSecretRenderInt + if mc.AgentConfig.TemplateConfig != nil { + conf.Vault.LeaseRenewalThreshold = mc.AgentConfig.TemplateConfig.LeaseRenewalThreshold + + if mc.AgentConfig.TemplateConfig.StaticSecretRenderInt != 0 { + conf.Vault.DefaultLeaseDuration = &mc.AgentConfig.TemplateConfig.StaticSecretRenderInt + } } if mc.AgentConfig.DisableIdleConnsTemplating { diff --git a/website/content/docs/agent-and-proxy/agent/template.mdx b/website/content/docs/agent-and-proxy/agent/template.mdx index fd9faa54587d..61939cf45cd2 100644 --- a/website/content/docs/agent-and-proxy/agent/template.mdx +++ b/website/content/docs/agent-and-proxy/agent/template.mdx @@ -111,6 +111,10 @@ failures. that the Vault Agent templating engine can use for a particular Vault host. This limit includes connections in the dialing, active, and idle states. +- `lease_renewal_threshold` `(float: 0.9)` - How long Vault Agent's template + engine should wait for to refresh dynamic, non-renewable leases, measured as + a fraction of the lease duration. + ### `template_config` stanza example ```hcl