diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index c059bcfe0..37086ad3e 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -109,3 +109,6 @@ A Helm chart to install the SPIRE agent. | `experimental.enabled` | Allow configuration of experimental features | `false` | | `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | | `experimental.featureFlags` | List of developer feature flags | `[]` | +| `sockets.hostBasePath` | Path on which the agent socket is made available when admin.mountOnHost is true | `/run/spire/agent/sockets` | +| `sockets.admin.enabled` | Enable the admin socket. Useful for admin tasks or the Delegated Identity API. | `false` | +| `sockets.admin.mountOnHost` | Enable the admin socket to be visible on the host. | `false` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 1270be668..96f47d305 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -18,8 +18,14 @@ {{- end }} {{- end }} {{- end }} +{{- if hasPrefix (.Values.socketPath | dir | clean) (.Values.sockets.hostBasePath | clean) }} +{{- fail "The sockets.hostBasePath can not be located under the socketPath direcotry" }} +{{- end }} {{- define "spire-agent.yaml-config" -}} agent: + {{- if .Values.sockets.admin.enabled }} + admin_socket_dir: /tmp/spire-agent/private/admin.sock + {{- end }} data_dir: "/run/spire" log_level: {{ .Values.logLevel | quote }} server_address: {{ include "spire-agent.server-address" . | trim | quote }} diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index e0ebc3c9b..2b8d900f2 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -83,12 +83,14 @@ spec: imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }} command: ["bash", "-c"] args: - - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ $socketPath | dir }}" + - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ $socketPath | dir }} /tmp/spire-agent/private" resources: {{- toYaml .Values.fsGroupFix.resources | nindent 12 }} volumeMounts: - name: spire-agent-socket-dir mountPath: {{ $socketPath | dir }} + - name: spire-agent-admin-socket-dir + mountPath: /tmp/spire-agent/private securityContext: runAsUser: 0 runAsGroup: 0 @@ -126,6 +128,11 @@ spec: - name: spire-config mountPath: /opt/spire/conf/agent readOnly: true + {{- if .Values.sockets.admin.enabled }} + - name: spire-agent-admin-socket-dir + mountPath: /tmp/spire-agent/private + readOnly: false + {{- end }} {{- if eq (len .Values.trustBundleURL) 0 }} - name: spire-bundle mountPath: /run/spire/bundle @@ -170,6 +177,15 @@ spec: - name: spire-config configMap: name: {{ include "spire-agent.fullname" . }} + {{- if .Values.sockets.admin.mountOnHost }} + - name: spire-agent-admin-socket-dir + hostPath: + hostPath: {{ .Values.sockets.hostBasePath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}/admin + type: DirectoryOrCreate + {{- else }} + - name: spire-agent-admin-socket-dir + emptyDir: {} + {{- end }} {{- if eq (len .Values.trustBundleURL) 0 }} - name: spire-bundle configMap: diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index b2be1533b..69d029228 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -281,3 +281,12 @@ experimental: syncInterval: 5s ## @param experimental.featureFlags [array] List of developer feature flags featureFlags: [] + +sockets: + ## @param sockets.hostBasePath Path on which the agent socket is made available when admin.mountOnHost is true + hostBasePath: /run/spire/agent/sockets + ## @param sockets.admin.enabled Enable the admin socket. Useful for admin tasks or the Delegated Identity API. + ## @param sockets.admin.mountOnHost Enable the admin socket to be visible on the host. + admin: + enabled: false + mountOnHost: false