unit test

hashicorp · Dec 21, 2024 · a68916b · a68916b
1 parent 6c012d5
commit a68916b
Show file tree

Hide file tree

Showing 6 changed files with 87 additions and 40 deletions.
diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go
@@ -17,26 +17,27 @@ import (
 )
 
 const (
-	DefaultVaultImage                       = "hashicorp/vault:1.18.2"
-	DefaultVaultAuthType                    = "kubernetes"
-	DefaultVaultAuthPath                    = "auth/kubernetes"
-	DefaultAgentRunAsUser                   = 100
-	DefaultAgentRunAsGroup                  = 1000
-	DefaultAgentRunAsSameUser               = false
-	DefaultAgentAllowPrivilegeEscalation    = false
-	DefaultAgentDropCapabilities            = "ALL"
-	DefaultAgentSetSecurityContext          = true
-	DefaultAgentReadOnlyRoot                = true
-	DefaultAgentCacheEnable                 = "false"
-	DefaultAgentCacheUseAutoAuthToken       = "true"
-	DefaultAgentCacheListenerPort           = "8200"
-	DefaultAgentCacheExitOnErr              = false
-	DefaultAgentUseLeaderElector            = false
-	DefaultAgentInjectToken                 = false
-	DefaultTemplateConfigExitOnRetryFailure = true
-	DefaultServiceAccountMount              = "/var/run/secrets/vault.hashicorp.com/serviceaccount"
-	DefaultEnableQuit                       = false
-	DefaultAutoAuthEnableOnExit             = false
+	DefaultVaultImage                          = "hashicorp/vault:1.18.2"
+	DefaultVaultAuthType                       = "kubernetes"
+	DefaultVaultAuthPath                       = "auth/kubernetes"
+	DefaultAgentRunAsUser                      = 100
+	DefaultAgentRunAsGroup                     = 1000
+	DefaultAgentRunAsSameUser                  = false
+	DefaultAgentAllowPrivilegeEscalation       = false
+	DefaultAgentDropCapabilities               = "ALL"
+	DefaultAgentSetSecurityContext             = true
+	DefaultAgentReadOnlyRoot                   = true
+	DefaultAgentCacheEnable                    = "false"
+	DefaultAgentCacheUseAutoAuthToken          = "true"
+	DefaultAgentCacheListenerPort              = "8200"
+	DefaultAgentCacheExitOnErr                 = false
+	DefaultAgentUseLeaderElector               = false
+	DefaultAgentInjectToken                    = false
+	DefaultTemplateConfigExitOnRetryFailure    = true
+	DefaultTemplateConfigLeaseRenewalThreshold = 0.9
+	DefaultServiceAccountMount                 = "/var/run/secrets/vault.hashicorp.com/serviceaccount"
+	DefaultEnableQuit                          = false
+	DefaultAutoAuthEnableOnExit                = false
 )
 
 // Agent is the top level structure holding all the

diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go
@@ -295,10 +295,10 @@ const (
 	//  includes connections in the dialing, active, and idle states.
 	AnnotationTemplateConfigMaxConnectionsPerHost = "vault.hashicorp.com/template-max-connections-per-host"
 
-	// AnnotationTemplateConfigMaxConnectionsPerHost configure how long Vault Agent's template
+	// AnnotationTemplateConfigLeaseRenewalThreshold configure how long Vault Agent's template
 	// engine should wait for to refresh dynamic, non-renewable leases, measured as
 	// a fraction of the lease duration.
-	AnnotationTemplateConfigLeaseRenewalThreshold = "vault.hashicorp.com/template-max-lease-renewal-threshold"
+	AnnotationTemplateConfigLeaseRenewalThreshold = "vault.hashicorp.com/template-config-lease-renewal-threshold"
 
 	// AnnotationAgentEnableQuit configures whether the quit endpoint is
 	// enabled in the injected agent config
@@ -878,7 +878,7 @@ func (a *Agent) templateConfigMaxConnectionsPerHost() (int64, error) {
 func (a *Agent) templateConfigLeaseRenewalThreshold() (float64, error) {
 	raw, ok := a.Annotations[AnnotationTemplateConfigLeaseRenewalThreshold]
 	if !ok {
-		return 0, nil
+		return DefaultTemplateConfigLeaseRenewalThreshold, nil
 	}
 
 	// TODO: use parseutil

diff --git a/agent-inject/agent/annotations_test.go b/agent-inject/agent/annotations_test.go
@@ -23,23 +23,24 @@ import (
 
 func basicAgentConfig() AgentConfig {
 	return AgentConfig{
-		Image:              "foobar-image",
-		Address:            "http://foobar:8200",
-		AuthType:           DefaultVaultAuthType,
-		AuthPath:           "test",
-		Namespace:          "test",
-		RevokeOnShutdown:   true,
-		UserID:             "100",
-		GroupID:            "1000",
-		SameID:             DefaultAgentRunAsSameUser,
-		SetSecurityContext: DefaultAgentSetSecurityContext,
-		ProxyAddress:       "http://proxy:3128",
-		DefaultTemplate:    DefaultTemplateType,
-		ResourceRequestCPU: DefaultResourceRequestCPU,
-		ResourceRequestMem: DefaultResourceRequestMem,
-		ResourceLimitCPU:   DefaultResourceLimitCPU,
-		ResourceLimitMem:   DefaultResourceLimitMem,
-		ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure,
+		Image:                 "foobar-image",
+		Address:               "http://foobar:8200",
+		AuthType:              DefaultVaultAuthType,
+		AuthPath:              "test",
+		Namespace:             "test",
+		RevokeOnShutdown:      true,
+		UserID:                "100",
+		GroupID:               "1000",
+		SameID:                DefaultAgentRunAsSameUser,
+		SetSecurityContext:    DefaultAgentSetSecurityContext,
+		ProxyAddress:          "http://proxy:3128",
+		DefaultTemplate:       DefaultTemplateType,
+		ResourceRequestCPU:    DefaultResourceRequestCPU,
+		ResourceRequestMem:    DefaultResourceRequestMem,
+		ResourceLimitCPU:      DefaultResourceLimitCPU,
+		ResourceLimitMem:      DefaultResourceLimitMem,
+		ExitOnRetryFailure:    DefaultTemplateConfigExitOnRetryFailure,
+		LeaseRenewalThreshold: DefaultTemplateConfigLeaseRenewalThreshold,
 	}
 }
 

diff --git a/agent-inject/agent/config_test.go b/agent-inject/agent/config_test.go
@@ -642,6 +642,7 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 			&TemplateConfig{
 				ExitOnRetryFailure:    true,
 				MaxConnectionsPerHost: 0,
+				LeaseRenewalThreshold: 0.9,
 			},
 		},
 		{
@@ -652,6 +653,7 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 			&TemplateConfig{
 				ExitOnRetryFailure:    false,
 				MaxConnectionsPerHost: 0,
+				LeaseRenewalThreshold: 0.9,
 			},
 		},
 		{
@@ -663,6 +665,7 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 				ExitOnRetryFailure:         true,
 				StaticSecretRenderInterval: "10s",
 				MaxConnectionsPerHost:      0,
+				LeaseRenewalThreshold:      0.9,
 			},
 		},
 		{
@@ -673,6 +676,17 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 			&TemplateConfig{
 				ExitOnRetryFailure:    true,
 				MaxConnectionsPerHost: 100,
+				LeaseRenewalThreshold: 0.9,
+			},
+		},
+		{
+			"lease_renewal_threshold 0.5",
+			map[string]string{
+				AnnotationTemplateConfigLeaseRenewalThreshold: "0.5",
+			},
+			&TemplateConfig{
+				ExitOnRetryFailure:    true,
+				LeaseRenewalThreshold: 0.5,
 			},
 		},
 		{
@@ -681,6 +695,7 @@ func TestConfigVaultAgentTemplateConfig(t *testing.T) {
 			&TemplateConfig{
 				ExitOnRetryFailure:    true,
 				MaxConnectionsPerHost: 0,
+				LeaseRenewalThreshold: 0.9,
 			},
 		},
 	}

diff --git a/subcommand/injector/flags.go b/subcommand/injector/flags.go
@@ -165,6 +165,8 @@ func (c *Command) init() {
 		fmt.Sprintf("Value for Agent's template_config.exit_on_retry_failure. Defaults to %t.", agent.DefaultTemplateConfigExitOnRetryFailure))
 	c.flagSet.StringVar(&c.flagStaticSecretRenderInterval, "template-static-secret-render-interval", "",
 		"Value for Agent's template_config.exit_on_retry_failure.")
+	c.flagSet.Float64Var(&c.flagLeaseRenewalThreshold, "template-config-lease-renewal-threshold", agent.DefaultTemplateConfigLeaseRenewalThreshold,
+		"Value for Agent's template_config.lease_renewal_threshold.")
 	c.flagSet.StringVar(&c.flagAutoName, "tls-auto", "",
 		"MutatingWebhookConfiguration name. If specified, will auto generate cert bundle.")
 	c.flagSet.StringVar(&c.flagAutoHosts, "tls-auto-hosts", "",

diff --git a/subcommand/injector/flags_test.go b/subcommand/injector/flags_test.go
@@ -227,3 +227,31 @@ func TestCommandEnvInts(t *testing.T) {
 		})
 	}
 }
+
+func TestCommandEnvFloats(t *testing.T) {
+	var cmd Command
+	tests := []struct {
+		env    string
+		value  float64
+		cmdPtr *float64
+	}{
+		{env: "AGENT_INJECT_TEMPLATE_LEASE_RENEWAL_THRESHOLD", value: 0.5, cmdPtr: &cmd.flagLeaseRenewalThreshold},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.env, func(t *testing.T) {
+			if err := os.Setenv(tt.env, strconv.FormatFloat(tt.value, 'f', 2, 64)); err != nil {
+				t.Errorf("got error setting env, shouldn't have: %s", err)
+			}
+			defer os.Unsetenv(tt.env)
+
+			if err := cmd.parseEnvs(); err != nil {
+				t.Errorf("got error parsing envs, shouldn't have: %s", err)
+			}
+
+			if *tt.cmdPtr != tt.value {
+				t.Errorf("env wasn't parsed, should have been: got %f, expected %f", *tt.cmdPtr, tt.value)
+			}
+		})
+	}
+}