From 503251c150706128a9ec050495791086d72ea361 Mon Sep 17 00:00:00 2001
From: Andreas Auernhammer <github@aead.dev>
Date: Tue, 10 Sep 2024 20:01:47 +0200
Subject: [PATCH] vault: do not reuse TCP connections

This commit disables TCP connection reuse for Vault.
Apparently, TCP connections to Vault might hang if Vault
gets shutdown forcefully.

The downside of this commit is that KES has to re-open a new
TCP connection for every interaction with Vault. However,
KES should not rach out to Vault most of them time. Hence, this
change seems acceptable.

Signed-off-by: Andreas Auernhammer <github@aead.dev>
---
 internal/keystore/vault/vault.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/internal/keystore/vault/vault.go b/internal/keystore/vault/vault.go
index 2679d931..81483b50 100644
--- a/internal/keystore/vault/vault.go
+++ b/internal/keystore/vault/vault.go
@@ -108,6 +108,10 @@ func Connect(ctx context.Context, c *Config) (*Store, error) {
 	config.CloneTLSConfig = true // Required for status checks
 	config.CloneToken = true     // Required for status checks
 	config.ConfigureTLS(tlsConfig)
+	if tr, ok := config.HttpClient.Transport.(*http.Transport); ok {
+		tr.DisableKeepAlives = true
+		tr.MaxIdleConnsPerHost = -1
+	}
 	vaultClient, err := vaultapi.NewClient(config)
 	if err != nil {
 		return nil, err