spire: Add init sidecar container for registration

This commit is to register all cilium related identities in spire, so that other components (e.g. spire-agent, cilium agent, cilium operator) are having required permissions. Currently, a small bash script is used for simplicity, once things are getting more complicated, we can move these steps to a small golang utility, like what we have with cilium-mount or cilium-sysctlfix. Kind note that shareProcessNamespace is enabled, so that init container can cooperate with main spire-server and perform required identity registration. https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ Signed-off-by: Tam Mach <tam.mach@cilium.io>
cilium · Apr 19, 2023 · c268e97 · c268e97
1 parent 0ea6c8b
commit c268e97
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 0 deletions.
diff --git a/install/kubernetes/cilium/files/spire/init.bash b/install/kubernetes/cilium/files/spire/init.bash
@@ -0,0 +1,48 @@
+# shellcheck disable=SC2086
+# shellcheck disable=SC2139
+set -e
+
+echo "Waiting for spire process to start"
+while ! pgrep spire-server > /dev/null; do sleep 5; done
+
+SPIRE_SERVER_ROOT_PATH="/proc/$(pgrep spire-server)/root"
+
+alias spire_server="${SPIRE_SERVER_ROOT_PATH}/opt/spire/bin/spire-server"
+SOCKET_PATH="${SPIRE_SERVER_ROOT_PATH}/tmp/spire-server/private/api.sock"
+SOCKET_FLAG="-socketPath ${SOCKET_PATH}"
+
+echo "Checking spire-server status"
+while ! spire_server entry show ${SOCKET_FLAG} &> /dev/null; do
+  echo "Waiting for spire-server to start..."
+  sleep 5
+done
+
+echo "Spire Server is up, initializing cilium spire entries..."
+
+AGENT_SPIFFE_ID="spiffe://{{ .Values.auth.mTLS.spire.trustDomain }}/ns/{{ .Values.auth.mTLS.spire.install.namespace }}/sa/spire-agent"
+AGENT_SELECTORS="-selector k8s_psat:agent_ns:{{ .Values.auth.mTLS.spire.install.namespace }} -selector k8s_psat:agent_sa:spire-agent"
+CILIUM_AGENT_SPIFFE_ID="spiffe://{{ .Values.auth.mTLS.spire.trustDomain }}/cilium-agent"
+CILIUM_AGENT_SELECTORS="-selector k8s:ns:{{ .Release.Namespace }} -selector k8s:sa:{{ .Values.serviceAccounts.cilium.name }}"
+CILIUM_OPERATOR_SPIFFE_ID="spiffe://{{ .Values.auth.mTLS.spire.trustDomain }}/cilium-operator"
+CILIUM_OPERATOR_SELECTORS="-selector k8s:ns:{{ .Release.Namespace }} -selector k8s:sa:{{ .Values.serviceAccounts.operator.name }}"
+
+while pgrep spire-server > /dev/null;
+do
+  echo "Ensuring agent entry"
+  if spire_server entry show ${SOCKET_FLAG} -spiffeID $AGENT_SPIFFE_ID $AGENT_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then
+    spire_server entry create ${SOCKET_FLAG} -spiffeID $AGENT_SPIFFE_ID $AGENT_SELECTORS -node
+  fi
+
+  echo "Ensuring cilium-agent entry (required for the delegated identity to work)"
+  if spire_server entry show ${SOCKET_FLAG} -spiffeID $CILIUM_AGENT_SPIFFE_ID $CILIUM_AGENT_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then
+    spire_server entry create ${SOCKET_FLAG} -spiffeID $CILIUM_AGENT_SPIFFE_ID -parentID $AGENT_SPIFFE_ID $CILIUM_AGENT_SELECTORS
+  fi
+
+  echo "Ensuring cilium-operator entry (required for creating SPIFFE identities)"
+  if spire_server entry show ${SOCKET_FLAG} -spiffeID $CILIUM_OPERATOR_SPIFFE_ID $CILIUM_OPERATOR_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then
+    spire_server entry create ${SOCKET_FLAG} -spiffeID $CILIUM_OPERATOR_SPIFFE_ID -parentID $AGENT_SPIFFE_ID $CILIUM_OPERATOR_SELECTORS
+  fi
+
+  echo "Cilium Spire entries are initialized successfully or already in-sync"
+  sleep 30;
+done
diff --git a/install/kubernetes/cilium/templates/spire/server/statefulset.yaml b/install/kubernetes/cilium/templates/spire/server/statefulset.yaml
@@ -25,6 +25,7 @@ spec:
         app: spire-server
     spec:
       serviceAccountName: {{ .Values.auth.mTLS.spire.install.server.serviceAccount.name }}
+      shareProcessNamespace: true
       {{- if gt (len .Values.auth.mTLS.spire.install.server.initContainers) 0 }}
       initContainers:
         {{- toYaml .Values.auth.mTLS.spire.install.server.initContainers | nindent 8 }}