SuperCoolAlan
commented
1 year ago +1
I'd like to use an option to update the SVID then exit from a job so that Kubernetes doesn't report the pod state as "NotReady" indefinitely.
Closed kfox1111 closed 8 months ago
SuperCoolAlan
commented
1 year ago +1
I'd like to use an option to update the SVID then exit from a job so that Kubernetes doesn't report the pod state as "NotReady" indefinitely.
kfox1111
commented
8 months ago Use case example.
Say you want to use spire-helper to generate a certificate/key and then upload it to Kubernetes for use as a normal tls secret. That can be useful for things such as configuring with an existing Ingress Controller such as ingress-nginx.
Currently ,that would require that you write a bash script or program that spiffe-helper. The script would need to handle calling kubectl in the case where its just started, as well as wait around for signals and trop those and respond by running kubectl in that case as well. A pretty complicated script.
Instead, I'd like a configuration somewhat similar to:
job_mode = true
cmd = "/bin/sh"
cmd_args = ["-c", "kubectl create secret tls mysecret -n myns --key="/certs/tls.key" --cert="/certs/tls.crt"
--dry-run=client -o yaml | kubectl apply -f -"]
cert_dir = "/certs"
svid_file_name = "tls.crt"
svid_key_file_name = "tls.key"Rather then a long running script, in this mode, every time the cert/key is updated it would translate into a exec call like:
kubectl create secret tls mysecret -n myns --key="/certs/tls.key" --cert="/certs/tls.crt"
--dry-run=client -o yaml | kubectl apply -f -Looks like it probably is supported today by just clearing the signal in the config like: https://github.com/spiffe/spiffe-helper/blob/main/examples/postgresql/helper.conf
The rest is covered in https://github.com/spiffe/spiffe-helper/pull/116
Feature request.
A flag should be added to switch the run mode to behave more like jobs. Instead of a long running process that gets signaled on updates, run the command to completion, and on updates, run the command again.