Document pid_file_name and explain some other flags #243
Conversation
ringerc
force-pushed
the
spiffe-helper-readme-updates
branch
from
0eb0365 to
a4c3498
Compare
|
@ringerc thanks for looking in to the docs. |
|
@faisal-memon @keeganwitt Rebased and suggested changes made. I also corrected a mistake where I incorrectly suggested that the |
ringerc
force-pushed
the
spiffe-helper-readme-updates
branch
from
a4c3498 to
e1a06d0
Compare
Per spiffe#243 (comment) the -exitWhenReady flag and corresponding ExitWhenReady option were never in a released version. So this obsolete, now-unused field can be deleted without backwards compatibility impact. The separate PR spiffe#243 updates the docs to remove reference to the CLI argument -exitWhenReady.
Per spiffe#243 (comment) the -exitWhenReady flag and corresponding ExitWhenReady option were never in a released version. So this obsolete, now-unused field can be deleted without backwards compatibility impact. Remove the reference from the README too. Signed-off-by: Craig Ringer <[email protected]>
ringerc
force-pushed
the
spiffe-helper-readme-updates
branch
from
e1a06d0 to
365c714
Compare
|
@faisal-memon @keeganwitt I've revised this a bit more based on what I've learned working on the codebase in the last couple of days. I moved it to subheads rather than bullet points and tried to structure it into groups based on the different ways of using You can view the rendered version here or the marked-up diff here. |
ringerc
force-pushed
the
spiffe-helper-readme-updates
branch
from
365c714 to
bf6dd1c
Compare
README.md
Outdated
| are NOT respected for argument quoting, so `cmd` = `touch` and `cmd_args` = | ||
| `'some file'` will create two files named `'some` and `file'` (including the quotes | ||
| in the file name), not a single file named `some file`. |
There was a problem hiding this comment.
Is there anyway to support escaping the quotes?
There was a problem hiding this comment.
I'm not following what you mean by escape here. You're talking about single quotes? Or double quotes?
There was a problem hiding this comment.
The problem is that spiffe-helper uses a csv parser with the delimiter set to " " (space) to process its command-line args and split them to an argument vector.
This is the test case I wrote that this README text was based on: https://github.com/ringerc/spiffe-helper-PRs/blob/31a134b2438ea865739673779c23c99beb410815/pkg/sidecar/sidecar_test.go#L116-L131 . The arguments there would be correct as a shell argument string, but is not handled correctly by spiffe-helper because spiffe-helper only supports double-quoted arguments.
To confirm my understanding of its parser behaviour I've banged out some test cases here #256 - see in particular #256 (review) for this case. This also showed that double quotes are escaped by pairing them, not backslash-escaping them.
Using a csv parser produces surprising and confusing results, as the semantics of csv are not the same as the semantics of a command line argument string, particularly when nesting double quotes within single quotes (which in the shell's parser, protects the double quotes) and when escaping double quotes.
This could result in surprising and even dangerous behaviour, hence the documentation for it. I don't recommend trying to change or fix the parser as getting it right is too hard, and "right" depends on the OS anyway. It's much better to use an argument vector (array) instead and deprecate the string-based cmd_args.
I implemented an argument-vector replacement in my working tree but I haven't had time to extract it into a separate PR, and I'd rather wait until some of the current ones are merged so it doesn't get too hard to keep track of things and rebase.
So I documented the current behaviour in the meantime. Would it be clearer if I split this into whole hcl lines?
There was a problem hiding this comment.
Revised the explanation to hopefully make it clearer at the expense of making it longer: a558254
Please resolve if satisfied
|
Thanks @ringerc this looks great. Just some minor comments and its ready to go. |
Per #243 (comment) the -exitWhenReady flag and corresponding ExitWhenReady option were never in a released version. So this obsolete, now-unused field can be deleted without backwards compatibility impact. Remove the reference from the README too. Signed-off-by: Craig Ringer <[email protected]> Co-authored-by: Faisal Memon <[email protected]>
ringerc
force-pushed
the
spiffe-helper-readme-updates
branch
2 times, most recently
from
8ad2d6b to
7517efa
Compare
ringerc
force-pushed
the
spiffe-helper-readme-updates
branch
2 times, most recently
from
312ce82 to
a558254
Compare
Update the README to: * Explain the different modes spiffe-helper can be used in and how they relate to the configuration settings. * Document the previously undocumented pid_file_name config option * Document that spiffe-helper restarts 'cmd' when it next rotates certificates if it's not running * Document that spiffe-helper does NOT restart 'cmd' until the next cert rotation if it exits. * Add explanation of how cmd and cmd_args is interpreted * Warn about surprises in cmd_args parsing with single quotes * Warn that stdin is not forwarded, and the exit code of the child process is not forwarded on exit, so spiffe-helper cannot be used as a pass-through wrapper for another command * Explicitly note that `cmd_args` is not subject to shell metacharacter expansion Signed-off-by: Craig Ringer <[email protected]>
Signed-off-by: Craig Ringer <[email protected]>
ringerc
force-pushed
the
spiffe-helper-readme-updates
branch
from
a558254 to
da30c07
Compare
Signed-off-by: Craig Ringer <[email protected]>
Update the README to:
spiffe-helpercan be used and why each one might be usefulcmdis re-launched only when the cert is rotateddaemon_mode=falseworks and that it ignorescmd,pid_file_nameandrenew_signal