Bugfix: clear namespace for healthcheck request in CheckStatus (#511)

Bump golang.org/x/net to silence a wrong vuln checker (#500)

Co-authored-by: Anis Eleuch <[email protected]>

vault: reset token TTL to 0 when renewing token (#501)

This commit resets the token TTL to zero once we start
another re-authentication attempt. The reason is that if
we fail to re-authenticate, we should not wait again for 80%
of the prev. token TTL but instead re-authenticate right
away.

Signed-off-by: Andreas Auernhammer <[email protected]>

use `GetClientCertificate` instead of `Certificates` to prevent clien…

…t issue from not being sent (#498)

Re-read JWT file for every authentication (#491)

* Re-read JWT file for every authentication

* fix lint issues

* fix unit test

vault: delay the usage of renewed auth tokens (#488)

This commit adds a delay that has to ellapse before
a new Vault auth. token is used. A dist. Vault cluster
may experience some replication lag. Hence, some cluster
nodes already have the renewed token while others don't.
If KES makes a request to a Vault node that does not have
the renewed token, then the Vault node will reject the request.

By waiting a certain amount of time (e.g. 30s) KES allows the
Vault cluster to sync a renewed token to all peer nodes. KES
cannot know when the token will be replicated but 30s seems a
reasonable value for most practical purposes.

Signed-off-by: Andreas Auernhammer <[email protected]>
Co-authored-by: kannappanr <[email protected]>

vault: do not reuse TCP connections (#486)

This commit disables TCP connection reuse for Vault.
Apparently, TCP connections to Vault might hang if Vault
gets shutdown forcefully.

The downside of this commit is that KES has to re-open a new
TCP connection for every interaction with Vault. However,
KES should not rach out to Vault most of them time. Hence, this
change seems acceptable.

Signed-off-by: Andreas Auernhammer <[email protected]>

entrust: Close body to avoid some conn leaks (#485)

Also ensure that we drain the body before closing to it to reuse the
existing connections when possible.

Co-authored-by: Anis Eleuch <[email protected]>

entrust: use reasonable defaults for HTTP transport (#477)

This commit fixes the HTTP transport of the entrust keycontrol client
to use a connection pool to reuse connections or close idle ones.

Signed-off-by: Andreas Auernhammer <[email protected]>

fix goroutine leak when reloading server config (#469)

This commit fixes a goroutine leak that occurs when
reloading the server configuration.

During a config reload, the server establishes a 2nd
connection to the backend keystore and replaces the
existing connection with the newly opened one. The switch
is performed atomically (without locking) to not block
or abort ongoing requests.

Once the server has replaced the keystore connection,
it closes it. Before this commit, the server stopped
the in-memory key cache and its GC goroutines. However,
it did not close any resources (goroutines/file descriptors)
allocated by the replaced keystore. This commit fixes this.

Signed-off-by: Andreas Auernhammer <[email protected]>