-
Notifications
You must be signed in to change notification settings - Fork 2.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
spire: Add init sidecar container for registration
This commit is to register all cilium related identities in spire, so that other components (e.g. spire-agent, cilium agent, cilium operator) are having required permissions. Currently, a small bash script is used for simplicity, once things are getting more complicated, we can move these steps to a small golang utility, like what we have with cilium-mount or cilium-sysctlfix. Kind note that shareProcessNamespace is enabled, so that init container can cooperate with main spire-server and perform required identity registration. https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ Signed-off-by: Tam Mach <tam.mach@cilium.io>
- Loading branch information
Showing
2 changed files
with
49 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# shellcheck disable=SC2086 | ||
# shellcheck disable=SC2139 | ||
set -e | ||
|
||
echo "Waiting for spire process to start" | ||
while ! pgrep spire-server > /dev/null; do sleep 5; done | ||
|
||
SPIRE_SERVER_ROOT_PATH="/proc/$(pgrep spire-server)/root" | ||
|
||
alias spire_server="${SPIRE_SERVER_ROOT_PATH}/opt/spire/bin/spire-server" | ||
SOCKET_PATH="${SPIRE_SERVER_ROOT_PATH}/tmp/spire-server/private/api.sock" | ||
SOCKET_FLAG="-socketPath ${SOCKET_PATH}" | ||
|
||
echo "Checking spire-server status" | ||
while ! spire_server entry show ${SOCKET_FLAG} &> /dev/null; do | ||
echo "Waiting for spire-server to start..." | ||
sleep 5 | ||
done | ||
|
||
echo "Spire Server is up, initializing cilium spire entries..." | ||
|
||
AGENT_SPIFFE_ID="spiffe://{{ .Values.auth.mTLS.spire.trustDomain }}/ns/{{ .Values.auth.mTLS.spire.install.namespace }}/sa/spire-agent" | ||
AGENT_SELECTORS="-selector k8s_psat:agent_ns:{{ .Values.auth.mTLS.spire.install.namespace }} -selector k8s_psat:agent_sa:spire-agent" | ||
CILIUM_AGENT_SPIFFE_ID="spiffe://{{ .Values.auth.mTLS.spire.trustDomain }}/cilium-agent" | ||
CILIUM_AGENT_SELECTORS="-selector k8s:ns:{{ .Release.Namespace }} -selector k8s:sa:{{ .Values.serviceAccounts.cilium.name }}" | ||
CILIUM_OPERATOR_SPIFFE_ID="spiffe://{{ .Values.auth.mTLS.spire.trustDomain }}/cilium-operator" | ||
CILIUM_OPERATOR_SELECTORS="-selector k8s:ns:{{ .Release.Namespace }} -selector k8s:sa:{{ .Values.serviceAccounts.operator.name }}" | ||
|
||
while pgrep spire-server > /dev/null; | ||
do | ||
echo "Ensuring agent entry" | ||
if spire_server entry show ${SOCKET_FLAG} -spiffeID $AGENT_SPIFFE_ID $AGENT_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then | ||
spire_server entry create ${SOCKET_FLAG} -spiffeID $AGENT_SPIFFE_ID $AGENT_SELECTORS -node | ||
fi | ||
|
||
echo "Ensuring cilium-agent entry (required for the delegated identity to work)" | ||
if spire_server entry show ${SOCKET_FLAG} -spiffeID $CILIUM_AGENT_SPIFFE_ID $CILIUM_AGENT_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then | ||
spire_server entry create ${SOCKET_FLAG} -spiffeID $CILIUM_AGENT_SPIFFE_ID -parentID $AGENT_SPIFFE_ID $CILIUM_AGENT_SELECTORS | ||
fi | ||
|
||
echo "Ensuring cilium-operator entry (required for creating SPIFFE identities)" | ||
if spire_server entry show ${SOCKET_FLAG} -spiffeID $CILIUM_OPERATOR_SPIFFE_ID $CILIUM_OPERATOR_SELECTORS | grep -q "Found 0 entries" &> /dev/null; then | ||
spire_server entry create ${SOCKET_FLAG} -spiffeID $CILIUM_OPERATOR_SPIFFE_ID -parentID $AGENT_SPIFFE_ID $CILIUM_OPERATOR_SELECTORS | ||
fi | ||
|
||
echo "Cilium Spire entries are initialized successfully or already in-sync" | ||
sleep 30; | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters