From 7cae9ed47bcef188488a9fc492896db08bbe02cd Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Sun, 4 Feb 2024 14:47:55 -0800 Subject: [PATCH 01/10] Add support for enabling the spire-agent admin socket Signed-off-by: Kevin Fox --- charts/spire/charts/spire-agent/README.md | 3 +++ .../charts/spire-agent/templates/configmap.yaml | 3 +++ .../charts/spire-agent/templates/daemonset.yaml | 16 ++++++++++++++++ charts/spire/charts/spire-agent/values.yaml | 8 ++++++++ 4 files changed, 30 insertions(+) diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index b7ccf43e2..af1ffb2ad 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -102,3 +102,6 @@ A Helm chart to install the SPIRE agent. | `experimental.enabled` | Allow configuration of experimental features | `false` | | `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | | `experimental.featureFlags` | List of developer feature flags | `[]` | +| `adminSocket.enabled` | Enable the admin socket. Useful for admin tasks or the Delegated Identity API. | `false` | +| `adminSocket.expose` | Enable the admin socket to be visible on the host. | `false` | +| `adminSocket.hostPath` | Path on which the socket is made available when expose is true | `/run/spire/agent-sockets-private` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 34a0d7e4d..4c21dff25 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -20,6 +20,9 @@ {{- end }} {{- define "spire-agent.yaml-config" -}} agent: + {{- .Values.adminSocket.enabled }} + admin_socket_dir: /tmp/spire-agent/private/admin.sock + {{- end }} data_dir: "/run/spire" log_level: {{ .Values.logLevel | quote }} server_address: {{ include "spire-agent.server-address" . | trim | quote }} diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 4d6c7c5bb..f44e3cfbe 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -99,6 +99,11 @@ spec: - name: spire-config mountPath: /run/spire/config readOnly: true + {{- if .Values.adminSocket.enabled }} + - name: spire-agent-admin-socket-dir + mountPath: /tmp/spire-agent/private + readOnly: false + {{- end }} {{- if eq (len .Values.trustBundleURL) 0 }} - name: spire-bundle mountPath: /run/spire/bundle @@ -139,6 +144,17 @@ spec: - name: spire-config configMap: name: {{ include "spire-agent.fullname" . }} + {{- if .Values.adminSocket.enabled }} + {{- if .Values.adminSocket.expose }} + - name: spire-agent-admin-socket-dir + hostPath: + hostPath: {{ .Values.adminSocket.hostPath }} + type: DirectoryOrCreate + {{- else }} + - name: spire-agent-admin-socket-dir + emptyDird: {} + {{- end }} + {{- end }} {{- if eq (len .Values.trustBundleURL) 0 }} - name: spire-bundle configMap: diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 8bcb698b6..8340b4c13 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -257,3 +257,11 @@ experimental: syncInterval: 5s ## @param experimental.featureFlags [array] List of developer feature flags featureFlags: [] + +## @param adminSocket.enabled Enable the admin socket. Useful for admin tasks or the Delegated Identity API. +## @param adminSocket.expose Enable the admin socket to be visible on the host. +## @param adminSocket.hostPath Path on which the socket is made available when expose is true +adminSocket: + enabled: false + expose: false + hostPath: /run/spire/agent-sockets-private From d7c5e4ac64761f4f8d70d7714a7ac3dc46849423 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Sun, 4 Feb 2024 14:49:55 -0800 Subject: [PATCH 02/10] Fix typo Signed-off-by: Kevin Fox --- charts/spire/charts/spire-agent/templates/daemonset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index f44e3cfbe..9b5dfa6a0 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -152,7 +152,7 @@ spec: type: DirectoryOrCreate {{- else }} - name: spire-agent-admin-socket-dir - emptyDird: {} + emptyDir: {} {{- end }} {{- end }} {{- if eq (len .Values.trustBundleURL) 0 }} From c8c38a6fabd7a9d73ce7b84149087f2fd3e959bb Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Sun, 4 Feb 2024 14:52:08 -0800 Subject: [PATCH 03/10] Update permissions Signed-off-by: Kevin Fox --- charts/spire/charts/spire-agent/templates/daemonset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 9b5dfa6a0..8759fcf8f 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -56,7 +56,7 @@ spec: imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }} command: ["bash", "-c"] args: - - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }}" + - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }} /tmp/spire-agent/private/" resources: {{- toYaml .Values.fsGroupFix.resources | nindent 12 }} volumeMounts: From 041022471c3a42a71af59c23ecacf0127b39daf5 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Sun, 4 Feb 2024 14:53:26 -0800 Subject: [PATCH 04/10] Update permissions Signed-off-by: Kevin Fox --- charts/spire/charts/spire-agent/templates/daemonset.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 8759fcf8f..1a0cfda52 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -56,12 +56,14 @@ spec: imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }} command: ["bash", "-c"] args: - - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }} /tmp/spire-agent/private/" + - "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }} /tmp/spire-agent/private" resources: {{- toYaml .Values.fsGroupFix.resources | nindent 12 }} volumeMounts: - name: spire-agent-socket-dir mountPath: {{ include "spire-agent.socket-path" . | dir }} + - name: spire-agent-admin-socket-dir + mountPath: /tmp/spire-agent/private securityContext: runAsUser: 0 runAsGroup: 0 From db9f350e24d6bfbca516488c9002fd339c8c2995 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Sun, 4 Feb 2024 15:08:20 -0800 Subject: [PATCH 05/10] Fix template Signed-off-by: Kevin Fox --- charts/spire/charts/spire-agent/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 4c21dff25..76eb40c71 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -20,7 +20,7 @@ {{- end }} {{- define "spire-agent.yaml-config" -}} agent: - {{- .Values.adminSocket.enabled }} + {{- if .Values.adminSocket.enabled }} admin_socket_dir: /tmp/spire-agent/private/admin.sock {{- end }} data_dir: "/run/spire" From 082db6193a9a5e8f3e267a9179040fb34d08d68a Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Sun, 4 Feb 2024 15:14:12 -0800 Subject: [PATCH 06/10] Update upstream agent too Signed-off-by: Kevin Fox --- charts/spire/README.md | 19 ++++++++++--------- charts/spire/values.yaml | 3 +++ 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 990951223..31181ef26 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -254,15 +254,16 @@ Now you can interact with the Spire agent socket from your own application. The ### Upstream Spire agent parameters -| Name | Description | Value | -| ------------------------------------------------ | -------------------------------------------------- | ---------------------------------------------------- | -| `upstream-spire-agent.upstream` | Flag for enabling upstream Spire agent | `true` | -| `upstream-spire-agent.nameOverride` | Name override for upstream Spire agent | `agent-upstream` | -| `upstream-spire-agent.bundleConfigMap` | The configmap name for upstream Spire agent bundle | `spire-bundle-upstream` | -| `upstream-spire-agent.socketPath` | Socket path where Spire agent socket is mounted | `/run/spire/agent-sockets-upstream/spire-agent.sock` | -| `upstream-spire-agent.serviceAccount.name` | Service account name for upstream Spire agent | `spire-agent-upstream` | -| `upstream-spire-agent.healthChecks.port` | Health check port number for upstream Spire agent | `9981` | -| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available | `9989` | +| Name | Description | Value | +| ------------------------------------------------ | -------------------------------------------------------------- | ---------------------------------------------------- | +| `upstream-spire-agent.upstream` | Flag for enabling upstream Spire agent | `true` | +| `upstream-spire-agent.nameOverride` | Name override for upstream Spire agent | `agent-upstream` | +| `upstream-spire-agent.bundleConfigMap` | The configmap name for upstream Spire agent bundle | `spire-bundle-upstream` | +| `upstream-spire-agent.socketPath` | Socket path where Spire agent socket is mounted | `/run/spire/agent-sockets-upstream/spire-agent.sock` | +| `upstream-spire-agent.serviceAccount.name` | Service account name for upstream Spire agent | `spire-agent-upstream` | +| `upstream-spire-agent.healthChecks.port` | Health check port number for upstream Spire agent | `9981` | +| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available | `9989` | +| `upstream-spire-agent.adminSocket.hostPath` | Path on which the socket is made available when expose is true | `/run/spire/agent-sockets-upstream-private` | ### SPIFFE CSI Driver parameters diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 125588427..34ac9954e 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -137,6 +137,9 @@ upstream-spire-agent: prometheus: ## @param upstream-spire-agent.telemetry.prometheus.port The port where prometheus metrics are available port: 9989 + adminSocket: + ## @param upstream-spire-agent.adminSocket.hostPath Path on which the socket is made available when expose is true + hostPath: /run/spire/agent-sockets-upstream-private ## @section SPIFFE CSI Driver parameters ## Parameter values for spiffe-csi-driver From 6fd010d2fdd8d7a3980f980b7f742becaaf51124 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Sun, 4 Feb 2024 15:31:30 -0800 Subject: [PATCH 07/10] Fix init issue Signed-off-by: Kevin Fox --- charts/spire/charts/spire-agent/templates/daemonset.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index 1a0cfda52..c4e7fde0c 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -146,16 +146,14 @@ spec: - name: spire-config configMap: name: {{ include "spire-agent.fullname" . }} - {{- if .Values.adminSocket.enabled }} - {{- if .Values.adminSocket.expose }} + {{- if .Values.adminSocket.expose }} - name: spire-agent-admin-socket-dir hostPath: hostPath: {{ .Values.adminSocket.hostPath }} type: DirectoryOrCreate - {{- else }} + {{- else }} - name: spire-agent-admin-socket-dir emptyDir: {} - {{- end }} {{- end }} {{- if eq (len .Values.trustBundleURL) 0 }} - name: spire-bundle From d6de06bec285bad6d49fd374e983d758655503e5 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Mon, 5 Feb 2024 08:42:03 -0800 Subject: [PATCH 08/10] Refactor a bit to make things more automatic Signed-off-by: Kevin Fox --- charts/spire/README.md | 19 +++++++++---------- charts/spire/charts/spire-agent/README.md | 6 +++--- .../spire-agent/templates/configmap.yaml | 2 +- .../spire-agent/templates/daemonset.yaml | 6 +++--- charts/spire/charts/spire-agent/values.yaml | 15 ++++++++------- charts/spire/values.yaml | 3 --- 6 files changed, 24 insertions(+), 27 deletions(-) diff --git a/charts/spire/README.md b/charts/spire/README.md index 31181ef26..990951223 100644 --- a/charts/spire/README.md +++ b/charts/spire/README.md @@ -254,16 +254,15 @@ Now you can interact with the Spire agent socket from your own application. The ### Upstream Spire agent parameters -| Name | Description | Value | -| ------------------------------------------------ | -------------------------------------------------------------- | ---------------------------------------------------- | -| `upstream-spire-agent.upstream` | Flag for enabling upstream Spire agent | `true` | -| `upstream-spire-agent.nameOverride` | Name override for upstream Spire agent | `agent-upstream` | -| `upstream-spire-agent.bundleConfigMap` | The configmap name for upstream Spire agent bundle | `spire-bundle-upstream` | -| `upstream-spire-agent.socketPath` | Socket path where Spire agent socket is mounted | `/run/spire/agent-sockets-upstream/spire-agent.sock` | -| `upstream-spire-agent.serviceAccount.name` | Service account name for upstream Spire agent | `spire-agent-upstream` | -| `upstream-spire-agent.healthChecks.port` | Health check port number for upstream Spire agent | `9981` | -| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available | `9989` | -| `upstream-spire-agent.adminSocket.hostPath` | Path on which the socket is made available when expose is true | `/run/spire/agent-sockets-upstream-private` | +| Name | Description | Value | +| ------------------------------------------------ | -------------------------------------------------- | ---------------------------------------------------- | +| `upstream-spire-agent.upstream` | Flag for enabling upstream Spire agent | `true` | +| `upstream-spire-agent.nameOverride` | Name override for upstream Spire agent | `agent-upstream` | +| `upstream-spire-agent.bundleConfigMap` | The configmap name for upstream Spire agent bundle | `spire-bundle-upstream` | +| `upstream-spire-agent.socketPath` | Socket path where Spire agent socket is mounted | `/run/spire/agent-sockets-upstream/spire-agent.sock` | +| `upstream-spire-agent.serviceAccount.name` | Service account name for upstream Spire agent | `spire-agent-upstream` | +| `upstream-spire-agent.healthChecks.port` | Health check port number for upstream Spire agent | `9981` | +| `upstream-spire-agent.telemetry.prometheus.port` | The port where prometheus metrics are available | `9989` | ### SPIFFE CSI Driver parameters diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index af1ffb2ad..61b662bd5 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -102,6 +102,6 @@ A Helm chart to install the SPIRE agent. | `experimental.enabled` | Allow configuration of experimental features | `false` | | `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | | `experimental.featureFlags` | List of developer feature flags | `[]` | -| `adminSocket.enabled` | Enable the admin socket. Useful for admin tasks or the Delegated Identity API. | `false` | -| `adminSocket.expose` | Enable the admin socket to be visible on the host. | `false` | -| `adminSocket.hostPath` | Path on which the socket is made available when expose is true | `/run/spire/agent-sockets-private` | +| `sockets.hostBasePath` | Path on which the agent socket is made available when admin.expose is true | `/run/spire/agent/sockets` | +| `sockets.admin.enabled` | Enable the admin socket. Useful for admin tasks or the Delegated Identity API. | `false` | +| `sockets.admin.expose` | Enable the admin socket to be visible on the host. | `false` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 76eb40c71..6afe9ae66 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -20,7 +20,7 @@ {{- end }} {{- define "spire-agent.yaml-config" -}} agent: - {{- if .Values.adminSocket.enabled }} + {{- if .Values.sockets.admin.enabled }} admin_socket_dir: /tmp/spire-agent/private/admin.sock {{- end }} data_dir: "/run/spire" diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index c4e7fde0c..00d189b79 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -101,7 +101,7 @@ spec: - name: spire-config mountPath: /run/spire/config readOnly: true - {{- if .Values.adminSocket.enabled }} + {{- if .Values.sockets.admin.enabled }} - name: spire-agent-admin-socket-dir mountPath: /tmp/spire-agent/private readOnly: false @@ -146,10 +146,10 @@ spec: - name: spire-config configMap: name: {{ include "spire-agent.fullname" . }} - {{- if .Values.adminSocket.expose }} + {{- if .Values.sockets.admin.expose }} - name: spire-agent-admin-socket-dir hostPath: - hostPath: {{ .Values.adminSocket.hostPath }} + hostPath: {{ .Values.sockets.hostBasePath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}/admin type: DirectoryOrCreate {{- else }} - name: spire-agent-admin-socket-dir diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 8340b4c13..d001acc46 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -258,10 +258,11 @@ experimental: ## @param experimental.featureFlags [array] List of developer feature flags featureFlags: [] -## @param adminSocket.enabled Enable the admin socket. Useful for admin tasks or the Delegated Identity API. -## @param adminSocket.expose Enable the admin socket to be visible on the host. -## @param adminSocket.hostPath Path on which the socket is made available when expose is true -adminSocket: - enabled: false - expose: false - hostPath: /run/spire/agent-sockets-private +sockets: + ## @param sockets.hostBasePath Path on which the agent socket is made available when admin.expose is true + hostBasePath: /run/spire/agent/sockets + ## @param sockets.admin.enabled Enable the admin socket. Useful for admin tasks or the Delegated Identity API. + ## @param sockets.admin.expose Enable the admin socket to be visible on the host. + admin: + enabled: false + expose: false diff --git a/charts/spire/values.yaml b/charts/spire/values.yaml index 34ac9954e..125588427 100644 --- a/charts/spire/values.yaml +++ b/charts/spire/values.yaml @@ -137,9 +137,6 @@ upstream-spire-agent: prometheus: ## @param upstream-spire-agent.telemetry.prometheus.port The port where prometheus metrics are available port: 9989 - adminSocket: - ## @param upstream-spire-agent.adminSocket.hostPath Path on which the socket is made available when expose is true - hostPath: /run/spire/agent-sockets-upstream-private ## @section SPIFFE CSI Driver parameters ## Parameter values for spiffe-csi-driver From caf103bdc8b2b53ecf9a3a5d72bedd066c1ab867 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Mon, 5 Feb 2024 17:59:03 -0800 Subject: [PATCH 09/10] Incorperate feedback Signed-off-by: Kevin Fox --- charts/spire/charts/spire-agent/README.md | 2 +- charts/spire/charts/spire-agent/templates/daemonset.yaml | 2 +- charts/spire/charts/spire-agent/values.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 2ae51b5c4..37dc4cf3b 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -111,4 +111,4 @@ A Helm chart to install the SPIRE agent. | `experimental.featureFlags` | List of developer feature flags | `[]` | | `sockets.hostBasePath` | Path on which the agent socket is made available when admin.expose is true | `/run/spire/agent/sockets` | | `sockets.admin.enabled` | Enable the admin socket. Useful for admin tasks or the Delegated Identity API. | `false` | -| `sockets.admin.expose` | Enable the admin socket to be visible on the host. | `false` | +| `sockets.admin.mountOnHost` | Enable the admin socket to be visible on the host. | `false` | diff --git a/charts/spire/charts/spire-agent/templates/daemonset.yaml b/charts/spire/charts/spire-agent/templates/daemonset.yaml index b46f5645c..6e6932296 100644 --- a/charts/spire/charts/spire-agent/templates/daemonset.yaml +++ b/charts/spire/charts/spire-agent/templates/daemonset.yaml @@ -177,7 +177,7 @@ spec: - name: spire-config configMap: name: {{ include "spire-agent.fullname" . }} - {{- if .Values.sockets.admin.expose }} + {{- if .Values.sockets.admin.mountOnHost }} - name: spire-agent-admin-socket-dir hostPath: hostPath: {{ .Values.sockets.hostBasePath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}/admin diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 629af230c..91f507be8 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -286,7 +286,7 @@ sockets: ## @param sockets.hostBasePath Path on which the agent socket is made available when admin.expose is true hostBasePath: /run/spire/agent/sockets ## @param sockets.admin.enabled Enable the admin socket. Useful for admin tasks or the Delegated Identity API. - ## @param sockets.admin.expose Enable the admin socket to be visible on the host. + ## @param sockets.admin.mountOnHost Enable the admin socket to be visible on the host. admin: enabled: false - expose: false + mountOnHost: false From a63b44ef5de5eaf7f624fc49af337a5634dfe909 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Fri, 9 Feb 2024 01:38:39 -0800 Subject: [PATCH 10/10] Incorperate feedback Signed-off-by: Kevin Fox --- charts/spire/charts/spire-agent/README.md | 2 +- charts/spire/charts/spire-agent/templates/configmap.yaml | 3 +++ charts/spire/charts/spire-agent/values.yaml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index 37dc4cf3b..37086ad3e 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -109,6 +109,6 @@ A Helm chart to install the SPIRE agent. | `experimental.enabled` | Allow configuration of experimental features | `false` | | `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | | `experimental.featureFlags` | List of developer feature flags | `[]` | -| `sockets.hostBasePath` | Path on which the agent socket is made available when admin.expose is true | `/run/spire/agent/sockets` | +| `sockets.hostBasePath` | Path on which the agent socket is made available when admin.mountOnHost is true | `/run/spire/agent/sockets` | | `sockets.admin.enabled` | Enable the admin socket. Useful for admin tasks or the Delegated Identity API. | `false` | | `sockets.admin.mountOnHost` | Enable the admin socket to be visible on the host. | `false` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 256f0dc3f..96f47d305 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -18,6 +18,9 @@ {{- end }} {{- end }} {{- end }} +{{- if hasPrefix (.Values.socketPath | dir | clean) (.Values.sockets.hostBasePath | clean) }} +{{- fail "The sockets.hostBasePath can not be located under the socketPath direcotry" }} +{{- end }} {{- define "spire-agent.yaml-config" -}} agent: {{- if .Values.sockets.admin.enabled }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 91f507be8..69d029228 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -283,7 +283,7 @@ experimental: featureFlags: [] sockets: - ## @param sockets.hostBasePath Path on which the agent socket is made available when admin.expose is true + ## @param sockets.hostBasePath Path on which the agent socket is made available when admin.mountOnHost is true hostBasePath: /run/spire/agent/sockets ## @param sockets.admin.enabled Enable the admin socket. Useful for admin tasks or the Delegated Identity API. ## @param sockets.admin.mountOnHost Enable the admin socket to be visible on the host.