search

spiffe / spiffe-helper

The SPIFFE Helper is a tool that can be used to retrieve and manage SVIDs on behalf of a workload
Apache License 2.0
43 stars 40 forks source link

Add an option to exit on success #116

Closed kfox1111 closed 8 months ago

kfox1111 commented 8 months ago

This PR allows the spiffe-helper to exit 0 after certificates have been retrieved. This can be used in conjunction with Kubernetes initContainers to ensure certificates are retrieved before running the spiffe-helper as a sidecar container.

Partially implements: https://github.com/spiffe/spiffe-helper/issues/115

faisal-memon commented 8 months ago

Hi @kfox1111 Thanks for the submission. This covers the x509 case. Should the jwt path also have the exit on success?

kfox1111 commented 8 months ago

Hi @kfox1111 Thanks for the submission. This covers the x509 case. Should the jwt path also have the exit on success?

Oh, that would be useful too, yeah. I'll see if I can find the other path and update it.

kfox1111 commented 8 months ago

Actually, I'm confused by how the jwt stuff is working...

I only see one exec.Command used:

$ grep -r exec.Command
pkg/sidecar/sidecar.go:         cmd := exec.Command(s.config.Cmd, cmdArgs...) // #nosec

In the signalProcess method. Which seems to only ever be called in method:

func (s *Sidecar) updateCertificates(svidResponse *workloadapi.X509Context) {

Does the jwt support not support cmds/signals?

keeganwitt commented 8 months ago

Maybe we should have separate exit configs (one for JWT and one for X509) for now?

keeganwitt commented 8 months ago

Maybe we should have separate exit configs (one for JWT and one for X509) for now?

It was decided in discussions not to hold this MR up for this and handle separately. Created #121 for this.

keeganwitt commented 8 months ago

The README never got updated for this feature.