diff --git a/README.md b/README.md index a16c481..0b31e7c 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,7 @@ _Options specified via environment-variables take precedence before the values s vault: url: insecure: + timeout: ``` - `url` *(default: https://127.0.0.1:8200)* - specifies the url of the vault-server. @@ -111,8 +112,8 @@ vault: You can alternatively specify the url with the environment-variable `VAULT_ADDR` - - `insecure` *(default: false)* - specifies whether insecure https connections are allowed or not. Set to `true` when you use self-signed certificates +- `timeout` *(default: 60s)* - timeout for the vault-http-client (see https://golang.org/pkg/time/#ParseDuration for a full list of valid time units); increase for large raft databases (and increase `snapshots.timeout` accordingly!) ### Vault authentication diff --git a/internal/app/vault_raft_snapshot_agent/config_test.go b/internal/app/vault_raft_snapshot_agent/config_test.go index 2d9ffed..c4e82f8 100644 --- a/internal/app/vault_raft_snapshot_agent/config_test.go +++ b/internal/app/vault_raft_snapshot_agent/config_test.go @@ -77,6 +77,7 @@ func TestReadCompleteConfig(t *testing.T) { Vault: vault.VaultClientConfig{ Url: "https://example.com:8200", Insecure: true, + Timeout: 5 * time.Minute, Auth: auth.AuthConfig{ AppRole: auth.AppRoleAuthConfig{ Path: "approle", @@ -136,6 +137,7 @@ func TestReadConfigSetsDefaultValues(t *testing.T) { Vault: vault.VaultClientConfig{ Url: "http://127.0.0.1:8200", Insecure: false, + Timeout: time.Minute, Auth: auth.AuthConfig{ AppRole: auth.AppRoleAuthConfig{ Path: "approle", @@ -211,7 +213,7 @@ func TestWatchAndReConfigure(t *testing.T) { snapshotter, err := CreateSnapshotter(config) assert.NoError(t, err, "could not create snapshotter") - assert.Equal(t, 30 * time.Second, snapshotter.config.Frequency) + assert.Equal(t, 30*time.Second, snapshotter.config.Frequency) reconfigured := WatchConfigAndReconfigure(snapshotter) diff --git a/internal/app/vault_raft_snapshot_agent/vault/api.go b/internal/app/vault_raft_snapshot_agent/vault/api.go index f70d5de..e5e0b8a 100644 --- a/internal/app/vault_raft_snapshot_agent/vault/api.go +++ b/internal/app/vault_raft_snapshot_agent/vault/api.go @@ -12,9 +12,10 @@ import ( "github.com/hashicorp/vault/api" ) -func newVaultAPIImpl(address string, insecure bool) (*vaultAPIImpl, error) { +func newVaultAPIImpl(address string, insecure bool, timeout time.Duration) (*vaultAPIImpl, error) { apiConfig := api.DefaultConfig() apiConfig.Address = address + apiConfig.HttpClient.Timeout = timeout tlsConfig := &api.TLSConfig{ Insecure: insecure, @@ -31,14 +32,14 @@ func newVaultAPIImpl(address string, insecure bool) (*vaultAPIImpl, error) { return &vaultAPIImpl{ client, - &vaultAuthAPIImpl { + &vaultAuthAPIImpl{ client, }, }, nil } type vaultAPIImpl struct { - client *api.Client + client *api.Client authAPI *vaultAuthAPIImpl } @@ -60,11 +61,11 @@ func (impl *vaultAPIImpl) AuthAPI() auth.VaultAuthAPI { } type vaultAuthAPIImpl struct { - client *api.Client + client *api.Client } func (impl *vaultAuthAPIImpl) LoginToBackend(authPath string, credentials map[string]interface{}) (leaseDuration time.Duration, err error) { - resp, err := impl.client.Logical().Write(path.Clean("auth/"+ authPath +"/login"), credentials) + resp, err := impl.client.Logical().Write(path.Clean("auth/"+authPath+"/login"), credentials) if err != nil { return 0, err } @@ -89,5 +90,3 @@ func (impl *vaultAuthAPIImpl) LoginWithToken(token string) (leaseDuration time.D return time.Duration(ttl), nil } - - diff --git a/internal/app/vault_raft_snapshot_agent/vault/client.go b/internal/app/vault_raft_snapshot_agent/vault/client.go index 8604b17..645c341 100644 --- a/internal/app/vault_raft_snapshot_agent/vault/client.go +++ b/internal/app/vault_raft_snapshot_agent/vault/client.go @@ -11,6 +11,7 @@ import ( type VaultClientConfig struct { Url string `default:"http://127.0.0.1:8200" validate:"required,http_url"` + Timeout time.Duration `default:"60s"` Insecure bool Auth auth.AuthConfig } @@ -29,7 +30,7 @@ type VaultClient struct { } func CreateClient(config VaultClientConfig) (*VaultClient, error) { - api, err := newVaultAPIImpl(config.Url, config.Insecure) + api, err := newVaultAPIImpl(config.Url, config.Insecure, config.Timeout) if err != nil { return nil, err } diff --git a/testdata/complete.yaml b/testdata/complete.yaml index 40a2424..c6e777a 100644 --- a/testdata/complete.yaml +++ b/testdata/complete.yaml @@ -1,6 +1,7 @@ vault: url: "https://example.com:8200" insecure: true + timeout: 5m auth: kubernetes: role: "test-role"