Merge branch 'main' into exit_when_ready

Signed-off-by: kfox1111 <[email protected]>

Dockerfile

@@ -0,0 +1,10 @@
+FROM golang
+
+WORKDIR /build
+COPY . /build
+RUN CGO_ENABLED=0 go build -o spiffe-helper ./cmd/spiffe-helper
+
+FROM scratch
+COPY --from=0 /build/spiffe-helper /spiffe-helper
+ENTRYPOINT ["/spiffe-helper"]
+CMD ["-config", "/etc/spiffe-helper.conf"]

README.md

@@ -16,26 +16,25 @@ If `-config` is not specified, the default value `helper.conf` is assumed.
 ## Configuration
 The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted file that defines the following configurations:
 
- | Configuration               | Description                                                                                                    | Example Value        |
- |-----------------------------|----------------------------------------------------------------------------------------------------------------| -------------------- |
- |`agent_address`              | Socket address of SPIRE Agent.                                                                                 | `"/tmp/agent.sock"`  |
- |`cmd`                        | The path to the process to launch.                                                                             | `"ghostunnel"`       |
- |`cmd_args`                   | The arguments of the process to launch.                                                                        | `"server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"` |
- |`cert_dir`                   | Directory name to store the fetched certificates. This directory must be created previously.                   | `"certs"`            |
- |`exit_when_ready`            | Fetch x509 certificate and then exit(0)                                                                        | `true`               |
- |`add_intermediates_to_bundle`| Add intermediate certificates into Bundle file instead of SVID file.                                           | `true`               |
- |`renew_signal`               | The signal that the process to be launched expects to reload the certificates. It is not supported on Windows. | `"SIGUSR1"`          |
- |`svid_file_name`             | File name to be used to store the X.509 SVID public certificate in PEM format.                                 | `"svid.pem"`         |
- |`svid_key_file_name`         | File name to be used to store the X.509 SVID private key and public certificate in PEM format.                 | `"svid_key.pem"`     |
- |`svid_bundle_file_name`      | File name to be used to store the X.509 SVID Bundle in PEM format.                                             | `"svid_bundle.pem"`  |
- |`jwt_audience`               | JWT SVID audience.                                                                                             | `"your-audience"`    |
- |`jwt_svid_file_name`         | File name to be used to store JWT SVID in Base64-encoded string.                                               | `"jwt_svid.token"`   |
- |`jwt_bundle_file_name`       | File name to be used to store JWT Bundle in JSON format.                                                       | `"jwt_bundle.json"`  |
- |`jwt_bundle_file_name`       | File name to be used to store JWT Bundle in JSON format.                                                       | `"jwt_bundle.json"`  |
+ | Configuration                 | Description                                                                                                    | Example Value                                                                                                                                                        |
+ |-------------------------------|----------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+ | `agent_address`               | Socket address of SPIRE Agent.                                                                                 | `"/tmp/agent.sock"`                                                                                                                                                  |
+ | `cmd`                         | The path to the process to launch.                                                                             | `"ghostunnel"`                                                                                                                                                       |
+ | `cmd_args`                    | The arguments of the process to launch.                                                                        | `"server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"` |
+ | `cert_dir`                    | Directory name to store the fetched certificates. This directory must be created previously.                   | `"certs"`                                                                                                                                                            |
+ | `exit_when_ready`             | Fetch x509 certificate and then exit(0)                                                                        | `true`               |
+ | `add_intermediates_to_bundle` | Add intermediate certificates into Bundle file instead of SVID file.                                           | `true`                                                                                                                                                               |
+ | `renew_signal`                | The signal that the process to be launched expects to reload the certificates. It is not supported on Windows. | `"SIGUSR1"`                                                                                                                                                          |
+ | `svid_file_name`              | File name to be used to store the X.509 SVID public certificate in PEM format.                                 | `"svid.pem"`                                                                                                                                                         |
+ | `svid_key_file_name`          | File name to be used to store the X.509 SVID private key and public certificate in PEM format.                 | `"svid_key.pem"`                                                                                                                                                     |
+ | `svid_bundle_file_name`       | File name to be used to store the X.509 SVID Bundle in PEM format.                                             | `"svid_bundle.pem"`                                                                                                                                                  |
+ | `jwt_audience`                | JWT SVID audience.                                                                                             | `"your-audience"`                                                                                                                                                    |
+ | `jwt_svid_file_name`          | File name to be used to store JWT SVID in Base64-encoded string.                                               | `"jwt_svid.token"`                                                                                                                                                   |
+ | `jwt_bundle_file_name`        | File name to be used to store JWT Bundle in JSON format.                                                       | `"jwt_bundle.json"`                                                                                                                                                  |
 
 ### Configuration example
 ```
-agent_address = "/tmp/agent.sock"
+agent_address = "/tmp/spire-agent/public/api.sock"
 cmd = "ghostunnel"
 cmd_args = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"
 cert_dir = "certs"

examples/mysql/helper.conf

@@ -1,5 +1,5 @@
 # SPIRE agent unix socket path
-agent_address = "/tmp/agent.sock"
+agent_address = "/tmp/spire-agent/public/api.sock"
 
 # mysql binary path
 cmd = "/usr/bin/mysql"

examples/mysql/spire-agent.conf

@@ -3,7 +3,7 @@ agent {
     log_level = "DEBUG"
     server_address = "127.0.0.1"
     server_port = "8081"
-    socket_path ="/tmp/agent.sock"
+    socket_path ="/tmp/spire-agent/public/api.sock"
     trust_bundle_path = "./conf/agent/dummy_root_ca.crt"
     trust_domain = "example.org"
 }

examples/postgresql/helper.conf

@@ -19,7 +19,7 @@
 #
 
 # SPIRE agent unix socket path
-agent_address = "/tmp/agent.sock"
+agent_address = "/tmp/spire-agent/public/api.sock"
 
 # psql binary path
 cmd = "/usr/bin/psql"

examples/postgresql/spire-agent.conf

@@ -3,7 +3,7 @@ agent {
     log_level = "DEBUG"
     server_address = "127.0.0.1"
     server_port = "8081"
-    socket_path ="/tmp/agent.sock"
+    socket_path ="/tmp/spire-agent/public/api.sock"
     trust_bundle_path = "./conf/agent/dummy_root_ca.crt"
     trust_domain = "example.org"
 }

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/spiffe/go-spiffe/v2 v2.1.6
 	github.com/stretchr/testify v1.8.4
 	golang.org/x/sys v0.15.0
-	google.golang.org/grpc v1.60.0
+	google.golang.org/grpc v1.60.1
 )
 
 require google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect

go.sum

@@ -56,8 +56,8 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 h1:6GQBEOdGkX6MMTLT9V+TjtIRZCw9VPD5Z+yHY9wMgS0=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97/go.mod h1:v7nGkzlmW8P3n/bKmWBn2WpBjpOEx8Q6gMueudAmKfY=
-google.golang.org/grpc v1.60.0 h1:6FQAR0kM31P6MRdeluor2w2gPaS4SVNrD/DNTxrQ15k=
-google.golang.org/grpc v1.60.0/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM=
+google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU=
+google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=

helper.conf

@@ -1,4 +1,4 @@
-agent_address = "/tmp/agent.sock"
+agent_address = "/tmp/spire-agent/public/api.sock"
 cmd = ""
 cmd_args = ""
 cert_dir = "certs"

helper_envoy.conf

@@ -1,4 +1,4 @@
-agent_address = "/tmp/agent.sock"
+agent_address = "/tmp/spire-agent/public/api.sock"
 cmd = "hot-restarter.py"
 cmd_args = "start_envoy.sh"
 cert_dir = "certs"

helper_ghostunnel.conf

@@ -1,4 +1,4 @@
-agent_address = "/tmp/agent.sock"
+agent_address = "/tmp/spire-agent/public/api.sock"
 cmd = "ghostunnel"
 cmd_args = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"
 cert_dir = "certs"

pkg/sidecar/config.go

@@ -17,6 +17,7 @@ type Config struct {
 	CmdArgsDeprecated      string `hcl:"cmdArgs"`
 	CertDir                string `hcl:"cert_dir"`
 	CertDirDeprecated      string `hcl:"certDir"`
+	ExitWhenReady          bool   `hcl:"exit_when_ready"`
 	// Merge intermediate certificates into Bundle file instead of SVID file,
 	// it is useful is some scenarios like MySQL,
 	// where this is the expected format for presented certificates and bundles

pkg/sidecar/config_test.go

@@ -14,7 +14,7 @@ func TestParseConfig(t *testing.T) {
 
 	assert.NoError(t, err)
 
-	expectedAgentAddress := "/tmp/agent.sock"
+	expectedAgentAddress := "/tmp/spire-agent/public/api.sock"
 	expectedCmd := "hot-restarter.py"
 	expectedCmdArgs := "start_envoy.sh"
 	expectedCertDir := "certs"

pkg/sidecar/sidecar.go

@@ -144,6 +144,10 @@ func (s *Sidecar) updateCertificates(svidResponse *workloadapi.X509Context) {
 		}
 	}
 
+	if s.config.ExitWhenReady {
+		os.Exit(0)
+	}
+
 	select {
 	case s.certReadyChan <- struct{}{}:
 	default:

pkg/sidecar/sidecar_test.go

@@ -199,16 +199,16 @@ func TestDefaultAgentAddress(t *testing.T) {
 	assert.Equal(t, spiffeSidecar.config.AgentAddress, "/tmp/spire-agent/public/api.sock")
 }
 func TestEnvAgentAddress(t *testing.T) {
-	os.Setenv("SPIRE_AGENT_ADDRESS", "/tmp/agent.sock")
+	os.Setenv("SPIRE_AGENT_ADDRESS", "/tmp/spire-agent/public/api.sock")
 	log, _ := test.NewNullLogger()
 	spiffeSidecar, err := New("../../test/sidecar/config/helper.conf", log)
 	require.NoError(t, err)
-	assert.Equal(t, spiffeSidecar.config.AgentAddress, "/tmp/agent.sock")
+	assert.Equal(t, spiffeSidecar.config.AgentAddress, "/tmp/spire-agent/public/api.sock")
 }
 
 func TestAgentAddress(t *testing.T) {
 	// This test is used to verify that we get the agent_address of the .conf file instead of the ENV value, if we have both
-	os.Setenv("SPIRE_AGENT_ADDRESS", "/tmp/agent.sock")
+	os.Setenv("SPIRE_AGENT_ADDRESS", "/tmp/spire-agent/public/api.sock")
 	log, _ := test.NewNullLogger()
 	spiffeSidecar, err := New("../../test/sidecar/configWithAddress/helper.conf", log)
 	require.NoError(t, err)

test/fixture/config/helper.conf

@@ -1,4 +1,4 @@
-agent_address = "/tmp/agent.sock"
+agent_address = "/tmp/spire-agent/public/api.sock"
 cmd = "hot-restarter.py"
 cmd_args = "start_envoy.sh"
 cert_dir = "certs"