diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..059a9c45 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,10 @@ +FROM golang + +WORKDIR /build +COPY . /build +RUN CGO_ENABLED=0 go build -o spiffe-helper ./cmd/spiffe-helper + +FROM scratch +COPY --from=0 /build/spiffe-helper /spiffe-helper +ENTRYPOINT ["/spiffe-helper"] +CMD ["-config", "/etc/spiffe-helper.conf"] diff --git a/README.md b/README.md index 9a6c8444..3d4f6cdc 100644 --- a/README.md +++ b/README.md @@ -16,26 +16,25 @@ If `-config` is not specified, the default value `helper.conf` is assumed. ## Configuration The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted file that defines the following configurations: - | Configuration | Description | Example Value | - |-----------------------------|----------------------------------------------------------------------------------------------------------------| -------------------- | - |`agent_address` | Socket address of SPIRE Agent. | `"/tmp/agent.sock"` | - |`cmd` | The path to the process to launch. | `"ghostunnel"` | - |`cmd_args` | The arguments of the process to launch. | `"server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"` | - |`cert_dir` | Directory name to store the fetched certificates. This directory must be created previously. | `"certs"` | - |`exit_when_ready` | Fetch x509 certificate and then exit(0) | `true` | - |`add_intermediates_to_bundle`| Add intermediate certificates into Bundle file instead of SVID file. | `true` | - |`renew_signal` | The signal that the process to be launched expects to reload the certificates. It is not supported on Windows. | `"SIGUSR1"` | - |`svid_file_name` | File name to be used to store the X.509 SVID public certificate in PEM format. | `"svid.pem"` | - |`svid_key_file_name` | File name to be used to store the X.509 SVID private key and public certificate in PEM format. | `"svid_key.pem"` | - |`svid_bundle_file_name` | File name to be used to store the X.509 SVID Bundle in PEM format. | `"svid_bundle.pem"` | - |`jwt_audience` | JWT SVID audience. | `"your-audience"` | - |`jwt_svid_file_name` | File name to be used to store JWT SVID in Base64-encoded string. | `"jwt_svid.token"` | - |`jwt_bundle_file_name` | File name to be used to store JWT Bundle in JSON format. | `"jwt_bundle.json"` | - |`jwt_bundle_file_name` | File name to be used to store JWT Bundle in JSON format. | `"jwt_bundle.json"` | + | Configuration | Description | Example Value | + |-------------------------------|----------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | `agent_address` | Socket address of SPIRE Agent. | `"/tmp/agent.sock"` | + | `cmd` | The path to the process to launch. | `"ghostunnel"` | + | `cmd_args` | The arguments of the process to launch. | `"server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"` | + | `cert_dir` | Directory name to store the fetched certificates. This directory must be created previously. | `"certs"` | + | `exit_when_ready` | Fetch x509 certificate and then exit(0) | `true` | + | `add_intermediates_to_bundle` | Add intermediate certificates into Bundle file instead of SVID file. | `true` | + | `renew_signal` | The signal that the process to be launched expects to reload the certificates. It is not supported on Windows. | `"SIGUSR1"` | + | `svid_file_name` | File name to be used to store the X.509 SVID public certificate in PEM format. | `"svid.pem"` | + | `svid_key_file_name` | File name to be used to store the X.509 SVID private key and public certificate in PEM format. | `"svid_key.pem"` | + | `svid_bundle_file_name` | File name to be used to store the X.509 SVID Bundle in PEM format. | `"svid_bundle.pem"` | + | `jwt_audience` | JWT SVID audience. | `"your-audience"` | + | `jwt_svid_file_name` | File name to be used to store JWT SVID in Base64-encoded string. | `"jwt_svid.token"` | + | `jwt_bundle_file_name` | File name to be used to store JWT Bundle in JSON format. | `"jwt_bundle.json"` | ### Configuration example ``` -agent_address = "/tmp/agent.sock" +agent_address = "/tmp/spire-agent/public/api.sock" cmd = "ghostunnel" cmd_args = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database" cert_dir = "certs" diff --git a/examples/mysql/helper.conf b/examples/mysql/helper.conf index 24e408f4..892376f9 100644 --- a/examples/mysql/helper.conf +++ b/examples/mysql/helper.conf @@ -1,5 +1,5 @@ # SPIRE agent unix socket path -agent_address = "/tmp/agent.sock" +agent_address = "/tmp/spire-agent/public/api.sock" # mysql binary path cmd = "/usr/bin/mysql" diff --git a/examples/mysql/spire-agent.conf b/examples/mysql/spire-agent.conf index 483914d2..aee11d3c 100644 --- a/examples/mysql/spire-agent.conf +++ b/examples/mysql/spire-agent.conf @@ -3,7 +3,7 @@ agent { log_level = "DEBUG" server_address = "127.0.0.1" server_port = "8081" - socket_path ="/tmp/agent.sock" + socket_path ="/tmp/spire-agent/public/api.sock" trust_bundle_path = "./conf/agent/dummy_root_ca.crt" trust_domain = "example.org" } diff --git a/examples/postgresql/helper.conf b/examples/postgresql/helper.conf index eada3db4..85df11a4 100644 --- a/examples/postgresql/helper.conf +++ b/examples/postgresql/helper.conf @@ -19,7 +19,7 @@ # # SPIRE agent unix socket path -agent_address = "/tmp/agent.sock" +agent_address = "/tmp/spire-agent/public/api.sock" # psql binary path cmd = "/usr/bin/psql" diff --git a/examples/postgresql/spire-agent.conf b/examples/postgresql/spire-agent.conf index 483914d2..aee11d3c 100644 --- a/examples/postgresql/spire-agent.conf +++ b/examples/postgresql/spire-agent.conf @@ -3,7 +3,7 @@ agent { log_level = "DEBUG" server_address = "127.0.0.1" server_port = "8081" - socket_path ="/tmp/agent.sock" + socket_path ="/tmp/spire-agent/public/api.sock" trust_bundle_path = "./conf/agent/dummy_root_ca.crt" trust_domain = "example.org" } diff --git a/go.mod b/go.mod index 2d941037..f2cf1b61 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/spiffe/go-spiffe/v2 v2.1.6 github.com/stretchr/testify v1.8.4 golang.org/x/sys v0.15.0 - google.golang.org/grpc v1.60.0 + google.golang.org/grpc v1.60.1 ) require google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect diff --git a/go.sum b/go.sum index 6eba6607..a9e718a1 100644 --- a/go.sum +++ b/go.sum @@ -56,8 +56,8 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 h1:6GQBEOdGkX6MMTLT9V+TjtIRZCw9VPD5Z+yHY9wMgS0= google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97/go.mod h1:v7nGkzlmW8P3n/bKmWBn2WpBjpOEx8Q6gMueudAmKfY= -google.golang.org/grpc v1.60.0 h1:6FQAR0kM31P6MRdeluor2w2gPaS4SVNrD/DNTxrQ15k= -google.golang.org/grpc v1.60.0/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= +google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU= +google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= diff --git a/helper.conf b/helper.conf index 2a706de7..380c1fc5 100644 --- a/helper.conf +++ b/helper.conf @@ -1,4 +1,4 @@ -agent_address = "/tmp/agent.sock" +agent_address = "/tmp/spire-agent/public/api.sock" cmd = "" cmd_args = "" cert_dir = "certs" diff --git a/helper_envoy.conf b/helper_envoy.conf index 735b6179..ae8eafd0 100644 --- a/helper_envoy.conf +++ b/helper_envoy.conf @@ -1,4 +1,4 @@ -agent_address = "/tmp/agent.sock" +agent_address = "/tmp/spire-agent/public/api.sock" cmd = "hot-restarter.py" cmd_args = "start_envoy.sh" cert_dir = "certs" diff --git a/helper_ghostunnel.conf b/helper_ghostunnel.conf index 08cb0c63..70ffd5e7 100644 --- a/helper_ghostunnel.conf +++ b/helper_ghostunnel.conf @@ -1,4 +1,4 @@ -agent_address = "/tmp/agent.sock" +agent_address = "/tmp/spire-agent/public/api.sock" cmd = "ghostunnel" cmd_args = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database" cert_dir = "certs" diff --git a/pkg/sidecar/config.go b/pkg/sidecar/config.go index e83c30bd..c6af3202 100644 --- a/pkg/sidecar/config.go +++ b/pkg/sidecar/config.go @@ -17,6 +17,7 @@ type Config struct { CmdArgsDeprecated string `hcl:"cmdArgs"` CertDir string `hcl:"cert_dir"` CertDirDeprecated string `hcl:"certDir"` + ExitWhenReady bool `hcl:"exit_when_ready"` // Merge intermediate certificates into Bundle file instead of SVID file, // it is useful is some scenarios like MySQL, // where this is the expected format for presented certificates and bundles diff --git a/pkg/sidecar/config_test.go b/pkg/sidecar/config_test.go index 36fad5b4..34e1580d 100644 --- a/pkg/sidecar/config_test.go +++ b/pkg/sidecar/config_test.go @@ -14,7 +14,7 @@ func TestParseConfig(t *testing.T) { assert.NoError(t, err) - expectedAgentAddress := "/tmp/agent.sock" + expectedAgentAddress := "/tmp/spire-agent/public/api.sock" expectedCmd := "hot-restarter.py" expectedCmdArgs := "start_envoy.sh" expectedCertDir := "certs" diff --git a/pkg/sidecar/sidecar.go b/pkg/sidecar/sidecar.go index a9a31a49..54d7b70f 100644 --- a/pkg/sidecar/sidecar.go +++ b/pkg/sidecar/sidecar.go @@ -144,6 +144,10 @@ func (s *Sidecar) updateCertificates(svidResponse *workloadapi.X509Context) { } } + if s.config.ExitWhenReady { + os.Exit(0) + } + select { case s.certReadyChan <- struct{}{}: default: diff --git a/pkg/sidecar/sidecar_test.go b/pkg/sidecar/sidecar_test.go index fa9d43e9..cf4d382f 100644 --- a/pkg/sidecar/sidecar_test.go +++ b/pkg/sidecar/sidecar_test.go @@ -199,16 +199,16 @@ func TestDefaultAgentAddress(t *testing.T) { assert.Equal(t, spiffeSidecar.config.AgentAddress, "/tmp/spire-agent/public/api.sock") } func TestEnvAgentAddress(t *testing.T) { - os.Setenv("SPIRE_AGENT_ADDRESS", "/tmp/agent.sock") + os.Setenv("SPIRE_AGENT_ADDRESS", "/tmp/spire-agent/public/api.sock") log, _ := test.NewNullLogger() spiffeSidecar, err := New("../../test/sidecar/config/helper.conf", log) require.NoError(t, err) - assert.Equal(t, spiffeSidecar.config.AgentAddress, "/tmp/agent.sock") + assert.Equal(t, spiffeSidecar.config.AgentAddress, "/tmp/spire-agent/public/api.sock") } func TestAgentAddress(t *testing.T) { // This test is used to verify that we get the agent_address of the .conf file instead of the ENV value, if we have both - os.Setenv("SPIRE_AGENT_ADDRESS", "/tmp/agent.sock") + os.Setenv("SPIRE_AGENT_ADDRESS", "/tmp/spire-agent/public/api.sock") log, _ := test.NewNullLogger() spiffeSidecar, err := New("../../test/sidecar/configWithAddress/helper.conf", log) require.NoError(t, err) diff --git a/test/fixture/config/helper.conf b/test/fixture/config/helper.conf index 0ab57b78..87b1b567 100644 --- a/test/fixture/config/helper.conf +++ b/test/fixture/config/helper.conf @@ -1,4 +1,4 @@ -agent_address = "/tmp/agent.sock" +agent_address = "/tmp/spire-agent/public/api.sock" cmd = "hot-restarter.py" cmd_args = "start_envoy.sh" cert_dir = "certs"