From 4e7242c633146a28a03d3ccf3ba33b936a38b9f8 Mon Sep 17 00:00:00 2001
From: Andreas Auernhammer <github@aead.dev>
Date: Tue, 10 Sep 2024 20:01:47 +0200
Subject: [PATCH] vault: do not reuse TCP connections

This commit disables TCP connection reuse for Vault.
Apparently, TCP connections to Vault might hang if Vault
gets shutdown forcefully.

The downside of this commit is that KES has to re-open a new
TCP connection for every interaction with Vault. However,
KES should not rach out to Vault most of them time. Hence, this
change seems acceptable.

Signed-off-by: Andreas Auernhammer <github@aead.dev>
---
 .github/workflows/go.yml         |  8 +++---
 .github/workflows/release.yml    |  2 +-
 Makefile                         | 48 ++++++++++++++++++++++++++++++++
 internal/keystore/vault/vault.go |  4 +++
 4 files changed, 57 insertions(+), 5 deletions(-)
 create mode 100644 Makefile

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 4815d957..87acfe44 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -16,7 +16,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: 1.22.5
+        go-version: 1.22.7
         check-latest: true
       id: go
     - name: Check out code
@@ -34,7 +34,7 @@ jobs:
       - name: "Set up Go"
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22.5
+          go-version: 1.22.7
         id: go
       - name: Check out code
         uses: actions/checkout@v4
@@ -54,7 +54,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: 1.22.5
+        go-version: 1.22.7
         check-latest: true
       id: go
     - name: Check out code
@@ -70,7 +70,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: [1.21.12, 1.22.5]
+        go-version: [1.22.7, 1.23.1]
     steps:
     - name: Set up Go ${{ matrix.go-version }}
       uses: actions/setup-go@v5
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e06a2335..acd9ede5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22.5
+          go-version: 1.22.7
           check-latest: true
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..e5c21bc5
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,48 @@
+GOBIN ?= $(shell go env GOPATH)/bin
+
+TAG = $(shell TZ=UTC0 git show --quiet --date='format-local:%Y-%m-%dT%H-%M-%SZ' --format="%cd")
+REPO ?= minio/kes
+
+.PHONY: install build docker docker-release fmt test lint update-tools
+
+install:
+	@mkdir -m 0755 -p ${GOBIN}
+	@CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -buildvcs=true -o ${GOBIN}/kes ./cmd/kes
+
+build:
+	@CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -buildvcs=true -o ./kes ./cmd/kes
+
+# This should not depend on the build step. The release binary build
+# is currently done via a set of scripts maintained in the miniohq/q
+# repository.
+docker-release:
+	@echo "Building container image for release ${TAG} ..."
+	@docker buildx build --push --no-cache \
+		--build-arg RELEASE="${RELEASE}" \
+		-t "quay.io/minio/kes:latest" \
+		-t "quay.io/minio/kes:${TAG}" \
+		--platform=linux/arm64,linux/amd64 \
+		-f Dockerfile .
+	@rm ./kes
+	@docker buildx prune -f
+
+docker: build
+	@echo "Building scratch container image ${REPO}:${TAG} ..."
+	@docker build -q --no-cache -t ${REPO}:${TAG} . -f Dockerfile.dev
+	@rm ./kes
+
+fmt:
+	@gofumpt -d . && echo "No formatting issue found."
+
+test:
+	@CGO_ENABLED=0 go test -ldflags "-s -w" ./...
+
+lint:
+	@go vet ./...
+	@golangci-lint run --config ./.golangci.yml
+	@govulncheck ./...
+
+update-tools:
+	@CGO_ENABLED=0 go install mvdan.cc/gofumpt@latest
+	@CGO_ENABLED=0 go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+	@CGO_ENABLED=0 go install golang.org/x/vuln/cmd/govulncheck@latest
diff --git a/internal/keystore/vault/vault.go b/internal/keystore/vault/vault.go
index 2679d931..81483b50 100644
--- a/internal/keystore/vault/vault.go
+++ b/internal/keystore/vault/vault.go
@@ -108,6 +108,10 @@ func Connect(ctx context.Context, c *Config) (*Store, error) {
 	config.CloneTLSConfig = true // Required for status checks
 	config.CloneToken = true     // Required for status checks
 	config.ConfigureTLS(tlsConfig)
+	if tr, ok := config.HttpClient.Transport.(*http.Transport); ok {
+		tr.DisableKeepAlives = true
+		tr.MaxIdleConnsPerHost = -1
+	}
 	vaultClient, err := vaultapi.NewClient(config)
 	if err != nil {
 		return nil, err