Add configuration to exit after retrieving JWTs (closes spiffe#121)

Signed-off-by: Keegan Witt <keeganwitt@gmail.com>

README.md

@@ -22,12 +22,14 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f
  | `cmd`                         | The path to the process to launch.                                                                             | `"ghostunnel"`                                                                                                                                                       |
  | `cmd_args`                    | The arguments of the process to launch.                                                                        | `"server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"` |
  | `cert_dir`                    | Directory name to store the fetched certificates. This directory must be created previously.                   | `"certs"`                                                                                                                                                            |
- | `exit_when_ready`             | Fetch x509 certificate and then exit(0)                                                                        | `true`               |
+ | `exit_when_ready`             | Deprecated. Use 'exit_when_cert_ready'.                                                                        | `true`                                                                                                                                                               |
+ | `exit_when_cert_ready`        | Fetch x509 certificate and then exit(0). It cannot be used with 'exit_when_jwt_ready'.                         | `true`                                                                                                                                                               |
  | `add_intermediates_to_bundle` | Add intermediate certificates into Bundle file instead of SVID file.                                           | `true`                                                                                                                                                               |
  | `renew_signal`                | The signal that the process to be launched expects to reload the certificates. It is not supported on Windows. | `"SIGUSR1"`                                                                                                                                                          |
  | `svid_file_name`              | File name to be used to store the X.509 SVID public certificate in PEM format.                                 | `"svid.pem"`                                                                                                                                                         |
  | `svid_key_file_name`          | File name to be used to store the X.509 SVID private key and public certificate in PEM format.                 | `"svid_key.pem"`                                                                                                                                                     |
  | `svid_bundle_file_name`       | File name to be used to store the X.509 SVID Bundle in PEM format.                                             | `"svid_bundle.pem"`                                                                                                                                                  |
+ | `exit_when_jwt_ready`         | Fetch JWT and then exit(0). It cannot be used with 'exit_when_cert_ready'.                                     | `true`                                                                                                                                                               |
  | `jwt_svids`                   | An array with the audience and file name to store the JWT SVIDs. File is Base64-encoded string).               | `[{jwt_audience="your-audience", jwt_svid_file_name="jwt_svid.token"}]`                                                                                              |
  | `jwt_bundle_file_name`        | File name to be used to store JWT Bundle in JSON format.                                                       | `"jwt_bundle.json"`                                                                                                                                                  |
 

pkg/sidecar/config.go

@@ -10,14 +10,16 @@ import (
 
 // Config contains config variables when creating a SPIFFE Sidecar.
 type Config struct {
-	AgentAddress           string `hcl:"agent_address"`
-	AgentAddressDeprecated string `hcl:"agentAddress"`
-	Cmd                    string `hcl:"cmd"`
-	CmdArgs                string `hcl:"cmd_args"`
-	CmdArgsDeprecated      string `hcl:"cmdArgs"`
-	CertDir                string `hcl:"cert_dir"`
-	CertDirDeprecated      string `hcl:"certDir"`
-	ExitWhenReady          bool   `hcl:"exit_when_ready"`
+	AgentAddress            string `hcl:"agent_address"`
+	AgentAddressDeprecated  string `hcl:"agentAddress"`
+	Cmd                     string `hcl:"cmd"`
+	CmdArgs                 string `hcl:"cmd_args"`
+	CmdArgsDeprecated       string `hcl:"cmdArgs"`
+	CertDir                 string `hcl:"cert_dir"`
+	CertDirDeprecated       string `hcl:"certDir"`
+	ExitWhenReadyDeprecated bool   `hcl:"exit_when_ready"`
+	ExitWhenCertReady       bool   `hcl:"exit_when_cert_ready"`
+	ExitWhenJwtReady        bool   `hcl:"exit_when_jwt_ready"`
 	// Merge intermediate certificates into Bundle file instead of SVID file,
 	// it is useful is some scenarios like MySQL,
 	// where this is the expected format for presented certificates and bundles
@@ -144,6 +146,13 @@ func ValidateConfig(c *Config) error {
 		return errors.New("all or none of 'svid_file_name', 'svid_key_file_name', 'svid_bundle_file_name' must be specified")
 	}
 
+	if c.ExitWhenReadyDeprecated {
+		c.Log.Warn(getWarning("exit_when_ready", "exit_when_cert_ready"))
+	}
+	if (c.ExitWhenReadyDeprecated || c.ExitWhenCertReady) && c.ExitWhenJwtReady {
+		return errors.New("'exit_when_cert_ready' (or 'exit_when_ready') and 'exit_when_jwt_ready' cannot both be configured")
+	}
+
 	return nil
 }
 

pkg/sidecar/config_test.go

@@ -290,6 +290,58 @@ func TestValidateConfig(t *testing.T) {
 				Message: "renewSignal will be deprecated, should be used as renew_signal",
 			}},
 		},
+		{
+			name: "Using ExitWhenReady",
+			config: &Config{
+				AgentAddress: "path",
+				JwtSvids: []JwtConfig{{
+					JWTSvidFilename: "jwt.token",
+					JWTAudience:     "your-audience",
+				}},
+				JWTBundleFilename:       "bundle.json",
+				ExitWhenReadyDeprecated: true,
+			},
+			expectLogs: []shortEntry{
+				{
+					Level:   logrus.WarnLevel,
+					Message: "exit_when_ready will be deprecated, should be used as exit_when_cert_ready",
+				},
+			},
+		},
+		{
+			name: "Using ExitWhenCertReady and ExitWhenJwtReady",
+			config: &Config{
+				AgentAddress: "path",
+				JwtSvids: []JwtConfig{{
+					JWTSvidFilename: "jwt.token",
+					JWTAudience:     "your-audience",
+				}},
+				JWTBundleFilename: "bundle.json",
+				ExitWhenCertReady: true,
+				ExitWhenJwtReady:  true,
+			},
+			expectError: "'exit_when_cert_ready' (or 'exit_when_ready') and 'exit_when_jwt_ready' cannot both be configured",
+		},
+		{
+			name: "Using ExitWhenReady and ExitWhenJwtReady",
+			config: &Config{
+				AgentAddress: "path",
+				JwtSvids: []JwtConfig{{
+					JWTSvidFilename: "jwt.token",
+					JWTAudience:     "your-audience",
+				}},
+				JWTBundleFilename:       "bundle.json",
+				ExitWhenReadyDeprecated: true,
+				ExitWhenJwtReady:        true,
+			},
+			expectLogs: []shortEntry{
+				{
+					Level:   logrus.WarnLevel,
+					Message: "exit_when_ready will be deprecated, should be used as exit_when_cert_ready",
+				},
+			},
+			expectError: "'exit_when_cert_ready' (or 'exit_when_ready') and 'exit_when_jwt_ready' cannot both be configured",
+		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			log, hook := test.NewNullLogger()

pkg/sidecar/sidecar.go

@@ -123,6 +123,10 @@ func (s *Sidecar) RunDaemon(ctx context.Context) error {
 
 	wg.Wait()
 
+	if s.config.ExitWhenJwtReady {
+		os.Exit(0)
+	}
+
 	return nil
 }
 
@@ -147,7 +151,7 @@ func (s *Sidecar) updateCertificates(svidResponse *workloadapi.X509Context) {
 		}
 	}
 
-	if s.config.ExitWhenReady {
+	if s.config.ExitWhenCertReady {
 		os.Exit(0)
 	}