Add support for enabling the spire-agent admin socket (#234)

* Add support for enabling the spire-agent admin socket Signed-off-by: Kevin Fox <[email protected]> * Fix typo Signed-off-by: Kevin Fox <[email protected]> * Update permissions Signed-off-by: Kevin Fox <[email protected]> * Update permissions Signed-off-by: Kevin Fox <[email protected]> * Fix template Signed-off-by: Kevin Fox <[email protected]> * Update upstream agent too Signed-off-by: Kevin Fox <[email protected]> * Fix init issue Signed-off-by: Kevin Fox <[email protected]> * Refactor a bit to make things more automatic Signed-off-by: Kevin Fox <[email protected]> * Incorperate feedback Signed-off-by: Kevin Fox <[email protected]> * Incorperate feedback Signed-off-by: Kevin Fox <[email protected]> --------- Signed-off-by: Kevin Fox <[email protected]> Signed-off-by: kfox1111 <[email protected]>
spiffe · Feb 9, 2024 · a2e5a4e · a2e5a4e
1 parent febdcbf
commit a2e5a4e
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 1 deletion.
diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md
@@ -109,3 +109,6 @@ A Helm chart to install the SPIRE agent.
 | `experimental.enabled`                            | Allow configuration of experimental features                                                                                                                                                      | `false`                                                                          |
 | `experimental.syncInterval`                       | Sync interval with SPIRE server with exponential backoff                                                                                                                                          | `5s`                                                                             |
 | `experimental.featureFlags`                       | List of developer feature flags                                                                                                                                                                   | `[]`                                                                             |
+| `sockets.hostBasePath`                            | Path on which the agent socket is made available when admin.mountOnHost is true                                                                                                                   | `/run/spire/agent/sockets`                                                       |
+| `sockets.admin.enabled`                           | Enable the admin socket. Useful for admin tasks or the Delegated Identity API.                                                                                                                    | `false`                                                                          |
+| `sockets.admin.mountOnHost`                       | Enable the admin socket to be visible on the host.                                                                                                                                                | `false`                                                                          |
diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml
@@ -18,8 +18,14 @@
 {{-     end }}
 {{-   end }}
 {{- end }}
+{{- if hasPrefix (.Values.socketPath | dir | clean) (.Values.sockets.hostBasePath | clean) }}
+{{- fail "The sockets.hostBasePath can not be located under the socketPath direcotry" }}
+{{- end }}
 {{- define "spire-agent.yaml-config" -}}
 agent:
+  {{- if .Values.sockets.admin.enabled }}
+  admin_socket_dir: /tmp/spire-agent/private/admin.sock
+  {{- end }}
   data_dir: "/run/spire"
   log_level: {{ .Values.logLevel | quote }}
   server_address: {{ include "spire-agent.server-address" . | trim | quote }}

diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml
@@ -83,12 +83,14 @@ spec:
           imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }}
           command: ["bash", "-c"]
           args:
-            - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ $socketPath | dir }}"
+            - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ $socketPath | dir }} /tmp/spire-agent/private"
           resources:
             {{- toYaml .Values.fsGroupFix.resources | nindent 12 }}
           volumeMounts:
             - name: spire-agent-socket-dir
               mountPath: {{ $socketPath | dir }}
+            - name: spire-agent-admin-socket-dir
+              mountPath: /tmp/spire-agent/private
           securityContext:
             runAsUser: 0
             runAsGroup: 0
@@ -126,6 +128,11 @@ spec:
             - name: spire-config
               mountPath: /opt/spire/conf/agent
               readOnly: true
+            {{- if .Values.sockets.admin.enabled }}
+            - name: spire-agent-admin-socket-dir
+              mountPath: /tmp/spire-agent/private
+              readOnly: false
+            {{- end }}
             {{- if eq (len .Values.trustBundleURL) 0 }}
             - name: spire-bundle
               mountPath: /run/spire/bundle
@@ -170,6 +177,15 @@ spec:
         - name: spire-config
           configMap:
             name: {{ include "spire-agent.fullname" . }}
+        {{- if .Values.sockets.admin.mountOnHost }}
+        - name: spire-agent-admin-socket-dir
+          hostPath:
+            hostPath: {{ .Values.sockets.hostBasePath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}/admin
+            type: DirectoryOrCreate
+        {{- else }}
+        - name: spire-agent-admin-socket-dir
+          emptyDir: {}
+        {{- end }}
         {{- if eq (len .Values.trustBundleURL) 0 }}
         - name: spire-bundle
           configMap:

diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml
@@ -281,3 +281,12 @@ experimental:
   syncInterval: 5s
   ## @param experimental.featureFlags [array] List of developer feature flags
   featureFlags: []
+
+sockets:
+  ## @param sockets.hostBasePath Path on which the agent socket is made available when admin.mountOnHost is true
+  hostBasePath: /run/spire/agent/sockets
+  ## @param sockets.admin.enabled Enable the admin socket. Useful for admin tasks or the Delegated Identity API.
+  ## @param sockets.admin.mountOnHost Enable the admin socket to be visible on the host.
+  admin:
+    enabled: false
+    mountOnHost: false