vault: do not reuse TCP connections

This commit disables TCP connection reuse for Vault. Apparently, TCP connections to Vault might hang if Vault gets shutdown forcefully. The downside of this commit is that KES has to re-open a new TCP connection for every interaction with Vault. However, KES should not rach out to Vault most of them time. Hence, this change seems acceptable. Signed-off-by: Andreas Auernhammer <[email protected]>
minio · Sep 10, 2024 · 4e7242c · 4e7242c
1 parent 1da59a0
commit 4e7242c
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 5 deletions.
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -16,7 +16,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: 1.22.5
+        go-version: 1.22.7
         check-latest: true
       id: go
     - name: Check out code
@@ -34,7 +34,7 @@ jobs:
       - name: "Set up Go"
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22.5
+          go-version: 1.22.7
         id: go
       - name: Check out code
         uses: actions/checkout@v4
@@ -54,7 +54,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: 1.22.5
+        go-version: 1.22.7
         check-latest: true
       id: go
     - name: Check out code
@@ -70,7 +70,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: [1.21.12, 1.22.5]
+        go-version: [1.22.7, 1.23.1]
     steps:
     - name: Set up Go ${{ matrix.go-version }}
       uses: actions/setup-go@v5

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22.5
+          go-version: 1.22.7
           check-latest: true
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1

diff --git a/Makefile b/Makefile
@@ -0,0 +1,48 @@
+GOBIN ?= $(shell go env GOPATH)/bin
+
+TAG = $(shell TZ=UTC0 git show --quiet --date='format-local:%Y-%m-%dT%H-%M-%SZ' --format="%cd")
+REPO ?= minio/kes
+
+.PHONY: install build docker docker-release fmt test lint update-tools
+
+install:
+	@mkdir -m 0755 -p ${GOBIN}
+	@CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -buildvcs=true -o ${GOBIN}/kes ./cmd/kes
+
+build:
+	@CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -buildvcs=true -o ./kes ./cmd/kes
+
+# This should not depend on the build step. The release binary build
+# is currently done via a set of scripts maintained in the miniohq/q
+# repository.
+docker-release:
+	@echo "Building container image for release ${TAG} ..."
+	@docker buildx build --push --no-cache \
+		--build-arg RELEASE="${RELEASE}" \
+		-t "quay.io/minio/kes:latest" \
+		-t "quay.io/minio/kes:${TAG}" \
+		--platform=linux/arm64,linux/amd64 \
+		-f Dockerfile .
+	@rm ./kes
+	@docker buildx prune -f
+
+docker: build
+	@echo "Building scratch container image ${REPO}:${TAG} ..."
+	@docker build -q --no-cache -t ${REPO}:${TAG} . -f Dockerfile.dev
+	@rm ./kes
+
+fmt:
+	@gofumpt -d . && echo "No formatting issue found."
+
+test:
+	@CGO_ENABLED=0 go test -ldflags "-s -w" ./...
+
+lint:
+	@go vet ./...
+	@golangci-lint run --config ./.golangci.yml
+	@govulncheck ./...
+
+update-tools:
+	@CGO_ENABLED=0 go install mvdan.cc/gofumpt@latest
+	@CGO_ENABLED=0 go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+	@CGO_ENABLED=0 go install golang.org/x/vuln/cmd/govulncheck@latest
diff --git a/internal/keystore/vault/vault.go b/internal/keystore/vault/vault.go
@@ -108,6 +108,10 @@ func Connect(ctx context.Context, c *Config) (*Store, error) {
 	config.CloneTLSConfig = true // Required for status checks
 	config.CloneToken = true     // Required for status checks
 	config.ConfigureTLS(tlsConfig)
+	if tr, ok := config.HttpClient.Transport.(*http.Transport); ok {
+		tr.DisableKeepAlives = true
+		tr.MaxIdleConnsPerHost = -1
+	}
 	vaultClient, err := vaultapi.NewClient(config)
 	if err != nil {
 		return nil, err