Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for enabling the spire-agent admin socket #234

Merged
merged 15 commits into from
Feb 9, 2024
Merged

Add support for enabling the spire-agent admin socket #234

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
7cae9ed
Add support for enabling the spire-agent admin socket
kfox1111 Feb 4, 2024
d7c5e4a
Fix typo
kfox1111 Feb 4, 2024
c8c38a6
Update permissions
kfox1111 Feb 4, 2024
0410224
Update permissions
kfox1111 Feb 4, 2024
db9f350
Fix template
kfox1111 Feb 4, 2024
082db61
Update upstream agent too
kfox1111 Feb 4, 2024
6fd010d
Fix init issue
kfox1111 Feb 4, 2024
5013e89
Merge branch 'main' into spire-agent-admin-socket
kfox1111 Feb 5, 2024
d6de06b
Refactor a bit to make things more automatic
kfox1111 Feb 5, 2024
2f6edab
Merge branch 'spire-agent-admin-socket' of https://github.com/spiffe/…
kfox1111 Feb 5, 2024
643f16d
Merge branch 'main' into spire-agent-admin-socket
kfox1111 Feb 5, 2024
2d86fd1
Merge branch 'main' into spire-agent-admin-socket
kfox1111 Feb 6, 2024
caf103b
Incorperate feedback
kfox1111 Feb 6, 2024
f1982f3
Merge branch 'main' into spire-agent-admin-socket
kfox1111 Feb 7, 2024
a63b44e
Incorperate feedback
kfox1111 Feb 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions charts/spire/charts/spire-agent/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,3 +102,6 @@ A Helm chart to install the SPIRE agent.
| `experimental.enabled` | Allow configuration of experimental features | `false` |
| `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` |
| `experimental.featureFlags` | List of developer feature flags | `[]` |
| `sockets.hostBasePath` | Path on which the agent socket is made available when admin.expose is true | `/run/spire/agent/sockets` |
marcofranssen marked this conversation as resolved.
Show resolved Hide resolved
faisal-memon marked this conversation as resolved.
Show resolved Hide resolved
| `sockets.admin.enabled` | Enable the admin socket. Useful for admin tasks or the Delegated Identity API. | `false` |
| `sockets.admin.expose` | Enable the admin socket to be visible on the host. | `false` |
3 changes: 3 additions & 0 deletions charts/spire/charts/spire-agent/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@
{{- end }}
{{- define "spire-agent.yaml-config" -}}
agent:
{{- if .Values.sockets.admin.enabled }}
admin_socket_dir: /tmp/spire-agent/private/admin.sock
faisal-memon marked this conversation as resolved.
Show resolved Hide resolved
{{- end }}
data_dir: "/run/spire"
log_level: {{ .Values.logLevel | quote }}
server_address: {{ include "spire-agent.server-address" . | trim | quote }}
Expand Down
18 changes: 17 additions & 1 deletion charts/spire/charts/spire-agent/templates/daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,14 @@ spec:
imagePullPolicy: {{ .Values.fsGroupFix.image.pullPolicy }}
command: ["bash", "-c"]
args:
- "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }}"
- "chown -R {{ $podSecurityContext.runAsUser }}:{{ $podSecurityContext.fsGroup }} {{ include "spire-agent.socket-path" . | dir }} /tmp/spire-agent/private"
resources:
{{- toYaml .Values.fsGroupFix.resources | nindent 12 }}
volumeMounts:
- name: spire-agent-socket-dir
mountPath: {{ include "spire-agent.socket-path" . | dir }}
- name: spire-agent-admin-socket-dir
mountPath: /tmp/spire-agent/private
securityContext:
runAsUser: 0
runAsGroup: 0
Expand Down Expand Up @@ -99,6 +101,11 @@ spec:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
{{- if .Values.sockets.admin.enabled }}
- name: spire-agent-admin-socket-dir
mountPath: /tmp/spire-agent/private
readOnly: false
{{- end }}
{{- if eq (len .Values.trustBundleURL) 0 }}
- name: spire-bundle
mountPath: /run/spire/bundle
Expand Down Expand Up @@ -139,6 +146,15 @@ spec:
- name: spire-config
configMap:
name: {{ include "spire-agent.fullname" . }}
{{- if .Values.sockets.admin.expose }}
- name: spire-agent-admin-socket-dir
hostPath:
hostPath: {{ .Values.sockets.hostBasePath }}/{{ if .Values.upstream }}upstream.csi.spiffe.io{{ else }}csi.spiffe.io{{ end }}/admin
type: DirectoryOrCreate
{{- else }}
- name: spire-agent-admin-socket-dir
emptyDir: {}
{{- end }}
{{- if eq (len .Values.trustBundleURL) 0 }}
- name: spire-bundle
configMap:
Expand Down
9 changes: 9 additions & 0 deletions charts/spire/charts/spire-agent/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,3 +257,12 @@ experimental:
syncInterval: 5s
## @param experimental.featureFlags [array] List of developer feature flags
featureFlags: []

sockets:
## @param sockets.hostBasePath Path on which the agent socket is made available when admin.expose is true
hostBasePath: /run/spire/agent/sockets
marcofranssen marked this conversation as resolved.
Show resolved Hide resolved
faisal-memon marked this conversation as resolved.
Show resolved Hide resolved
## @param sockets.admin.enabled Enable the admin socket. Useful for admin tasks or the Delegated Identity API.
## @param sockets.admin.expose Enable the admin socket to be visible on the host.
admin:
enabled: false
expose: false
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
Loading