diff --git a/README.md b/README.md index 975421b9..7f3dae57 100644 --- a/README.md +++ b/README.md @@ -22,12 +22,14 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f | `cmd` | The path to the process to launch. | `"ghostunnel"` | | `cmd_args` | The arguments of the process to launch. | `"server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"` | | `cert_dir` | Directory name to store the fetched certificates. This directory must be created previously. | `"certs"` | - | `exit_when_ready` | Fetch x509 certificate and then exit(0) | `true` | + | `exit_when_ready` | Deprecated. Use 'exit_when_cert_ready'. | `true` | + | `exit_when_cert_ready` | Fetch x509 certificate and then exit(0). It cannot be used with 'exit_when_jwt_ready'. | `true` | | `add_intermediates_to_bundle` | Add intermediate certificates into Bundle file instead of SVID file. | `true` | | `renew_signal` | The signal that the process to be launched expects to reload the certificates. It is not supported on Windows. | `"SIGUSR1"` | | `svid_file_name` | File name to be used to store the X.509 SVID public certificate in PEM format. | `"svid.pem"` | | `svid_key_file_name` | File name to be used to store the X.509 SVID private key and public certificate in PEM format. | `"svid_key.pem"` | | `svid_bundle_file_name` | File name to be used to store the X.509 SVID Bundle in PEM format. | `"svid_bundle.pem"` | + | `exit_when_jwt_ready` | Fetch JWT and then exit(0). It cannot be used with 'exit_when_cert_ready'. | `true` | | `jwt_svids` | An array with the audience and file name to store the JWT SVIDs. File is Base64-encoded string). | `[{jwt_audience="your-audience", jwt_svid_file_name="jwt_svid.token"}]` | | `jwt_bundle_file_name` | File name to be used to store JWT Bundle in JSON format. | `"jwt_bundle.json"` | diff --git a/pkg/sidecar/config.go b/pkg/sidecar/config.go index 90457493..bef0c2ad 100644 --- a/pkg/sidecar/config.go +++ b/pkg/sidecar/config.go @@ -10,14 +10,16 @@ import ( // Config contains config variables when creating a SPIFFE Sidecar. type Config struct { - AgentAddress string `hcl:"agent_address"` - AgentAddressDeprecated string `hcl:"agentAddress"` - Cmd string `hcl:"cmd"` - CmdArgs string `hcl:"cmd_args"` - CmdArgsDeprecated string `hcl:"cmdArgs"` - CertDir string `hcl:"cert_dir"` - CertDirDeprecated string `hcl:"certDir"` - ExitWhenReady bool `hcl:"exit_when_ready"` + AgentAddress string `hcl:"agent_address"` + AgentAddressDeprecated string `hcl:"agentAddress"` + Cmd string `hcl:"cmd"` + CmdArgs string `hcl:"cmd_args"` + CmdArgsDeprecated string `hcl:"cmdArgs"` + CertDir string `hcl:"cert_dir"` + CertDirDeprecated string `hcl:"certDir"` + ExitWhenReadyDeprecated bool `hcl:"exit_when_ready"` + ExitWhenCertReady bool `hcl:"exit_when_cert_ready"` + ExitWhenJwtReady bool `hcl:"exit_when_jwt_ready"` // Merge intermediate certificates into Bundle file instead of SVID file, // it is useful is some scenarios like MySQL, // where this is the expected format for presented certificates and bundles @@ -144,6 +146,13 @@ func ValidateConfig(c *Config) error { return errors.New("all or none of 'svid_file_name', 'svid_key_file_name', 'svid_bundle_file_name' must be specified") } + if c.ExitWhenReadyDeprecated { + c.Log.Warn(getWarning("exit_when_ready", "exit_when_cert_ready")) + } + if (c.ExitWhenReadyDeprecated || c.ExitWhenCertReady) && c.ExitWhenJwtReady { + return errors.New("'exit_when_cert_ready' (or 'exit_when_ready') and 'exit_when_jwt_ready' cannot both be configured") + } + return nil } diff --git a/pkg/sidecar/config_test.go b/pkg/sidecar/config_test.go index 8d3f0570..26659c72 100644 --- a/pkg/sidecar/config_test.go +++ b/pkg/sidecar/config_test.go @@ -290,6 +290,58 @@ func TestValidateConfig(t *testing.T) { Message: "renewSignal will be deprecated, should be used as renew_signal", }}, }, + { + name: "Using ExitWhenReady", + config: &Config{ + AgentAddress: "path", + JwtSvids: []JwtConfig{{ + JWTSvidFilename: "jwt.token", + JWTAudience: "your-audience", + }}, + JWTBundleFilename: "bundle.json", + ExitWhenReadyDeprecated: true, + }, + expectLogs: []shortEntry{ + { + Level: logrus.WarnLevel, + Message: "exit_when_ready will be deprecated, should be used as exit_when_cert_ready", + }, + }, + }, + { + name: "Using ExitWhenCertReady and ExitWhenJwtReady", + config: &Config{ + AgentAddress: "path", + JwtSvids: []JwtConfig{{ + JWTSvidFilename: "jwt.token", + JWTAudience: "your-audience", + }}, + JWTBundleFilename: "bundle.json", + ExitWhenCertReady: true, + ExitWhenJwtReady: true, + }, + expectError: "'exit_when_cert_ready' (or 'exit_when_ready') and 'exit_when_jwt_ready' cannot both be configured", + }, + { + name: "Using ExitWhenReady and ExitWhenJwtReady", + config: &Config{ + AgentAddress: "path", + JwtSvids: []JwtConfig{{ + JWTSvidFilename: "jwt.token", + JWTAudience: "your-audience", + }}, + JWTBundleFilename: "bundle.json", + ExitWhenReadyDeprecated: true, + ExitWhenJwtReady: true, + }, + expectLogs: []shortEntry{ + { + Level: logrus.WarnLevel, + Message: "exit_when_ready will be deprecated, should be used as exit_when_cert_ready", + }, + }, + expectError: "'exit_when_cert_ready' (or 'exit_when_ready') and 'exit_when_jwt_ready' cannot both be configured", + }, } { t.Run(tt.name, func(t *testing.T) { log, hook := test.NewNullLogger() diff --git a/pkg/sidecar/sidecar.go b/pkg/sidecar/sidecar.go index 67bd5e91..d7858d7b 100644 --- a/pkg/sidecar/sidecar.go +++ b/pkg/sidecar/sidecar.go @@ -123,6 +123,10 @@ func (s *Sidecar) RunDaemon(ctx context.Context) error { wg.Wait() + if s.config.ExitWhenJwtReady { + os.Exit(0) + } + return nil } @@ -147,7 +151,7 @@ func (s *Sidecar) updateCertificates(svidResponse *workloadapi.X509Context) { } } - if s.config.ExitWhenReady { + if s.config.ExitWhenCertReady { os.Exit(0) }