Merge pull request #74 from philips-labs/spire-configurable-socket-paths

charts/spire/Chart.yaml

@@ -27,7 +27,7 @@ description: |
           - --service-account-signing-key-file=/run/config/pki/sa.key
   ```
 type: application
-version: 0.6.3
+version: 0.7.0
 appVersion: "1.5.1"
 keywords: ["spiffe", "spire", "spire-server", "spire-agent", "oidc"]
 home: https://github.com/philips-labs/helm-charts/charts/spire

charts/spire/README.md

@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. -->
 
-![Version: 0.6.3](https://img.shields.io/badge/Version-0.6.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square)
+![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square)
 
 A Helm chart for deploying spire-server and spire-agent.
 
@@ -51,6 +51,7 @@ Kubernetes: `>=1.21.0-0`
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | agent.config.logLevel | string | `"info"` |  |
+| agent.config.socketPath | string | `"/run/spire/agent-sockets/spire-agent.sock"` |  |
 | agent.image.pullPolicy | string | `"IfNotPresent"` |  |
 | agent.image.registry | string | `"ghcr.io"` |  |
 | agent.image.repository | string | `"spiffe/spire-agent"` |  |
@@ -103,6 +104,7 @@ Kubernetes: `>=1.21.0-0`
 | server.config.ca_subject.organization | string | `"Example"` |  |
 | server.config.jwtIssuer | string | `"oidc-discovery.example.org"` |  |
 | server.config.logLevel | string | `"info"` |  |
+| server.config.socketPath | string | `"/run/spire/server-sockets/spire-server.sock"` |  |
 | server.dataStorage.accessMode | string | `"ReadWriteOnce"` |  |
 | server.dataStorage.enabled | bool | `true` |  |
 | server.dataStorage.size | string | `"1Gi"` |  |

charts/spire/templates/NOTES.txt

@@ -1,4 +1,4 @@
 1. Get the currently registered SPIFFE entries from the server:
 
   kubectl exec -n {{ .Release.Namespace }} {{ include "spire.fullname" . }}-server-0 -c spire-server -- \
-    bin/spire-server entry show -socketPath /run/spire/server-sockets/registration.sock
+    bin/spire-server entry show -socketPath {{ .Values.server.config.socketPath }}

charts/spire/templates/agent-configmap.yaml

@@ -7,10 +7,10 @@ data:
   agent.conf: |
     agent {
       data_dir = "/run/spire"
-      log_level = "{{ .Values.agent.config.logLevel }}"
+      log_level = {{ .Values.agent.config.logLevel | quote }}
       server_address = "{{ include "spire.fullname" . }}-server"
-      server_port = "{{ .Values.server.service.port }}"
-      socket_path = "/run/spire/agent-sockets/spire-agent.sock"
+      server_port = {{ .Values.server.service.port | quote }}
+      socket_path = {{ .Values.agent.config.socketPath | quote }}
       trust_bundle_path = "/run/spire/bundle/bundle.crt"
       trust_domain = {{ .Values.spire.trustDomain | quote }}
     }

charts/spire/templates/oidc-dp-configmap.yaml

@@ -1,4 +1,5 @@
 {{- if eq (.Values.oidc.enabled | toString) "true" }}
+{{- $oidcSocket := "/run/spire/oidc-sockets/spire-oidc-server.sock" }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -18,7 +19,7 @@ data:
 
     {{- if .Values.oidc.insecureScheme.enabled }}
     allow_insecure_scheme = {{ .Values.oidc.insecureScheme.enabled }}
-    listen_socket_path = "/run/spire/oidc-sockets/spire-oidc-server.sock"
+    listen_socket_path = {{ $oidcSocket | quote }}
     {{- else }}
     acme {
       directory_url = "{{ .Values.oidc.config.acme.directoryUrl }}"
@@ -29,7 +30,7 @@ data:
     {{- end }}
 
     workload_api {
-      socket_path = "/spiffe-workload-api/spire-agent.sock"
+      socket_path = "/spiffe-workload-api/{{ splitList "/" .Values.agent.config.socketPath | last }}"
       trust_domain = "{{ .Values.spire.trustDomain }}"
     }
 
@@ -41,7 +42,7 @@ data:
   {{- if .Values.oidc.insecureScheme.enabled }}
   default.conf.template: |
     upstream oidc {
-      server unix:/run/spire/oidc-sockets/spire-oidc-server.sock;
+      server unix:{{ $oidcSocket }};
     }
 
     server {

charts/spire/templates/server-configmap.yaml

@@ -8,7 +8,7 @@ data:
     server {
       bind_address = "0.0.0.0"
       bind_port = "8081"
-      socket_path = "/run/spire/server-sockets/spire-server.sock"
+      socket_path = {{ .Values.server.config.socketPath | quote }}
       trust_domain = {{ .Values.spire.trustDomain | quote }}
       data_dir = "/run/spire/data"
       log_level = "{{ .Values.server.config.logLevel }}"

charts/spire/templates/workload-registrar-configmap.yaml

@@ -9,6 +9,6 @@ data:
     mode            = "reconcile"
     trust_domain    = {{ .Values.spire.trustDomain | quote }}
     cluster         = {{ .Values.spire.clusterName | quote }}
-    server_address  = "unix:///run/spire/server-sockets/spire-server.sock"
+    server_address  = "unix://{{ .Values.server.config.socketPath }}"
     leader_election = true
     metrics_addr    = "0.0.0.0:18080"

charts/spire/values.yaml

@@ -77,6 +77,7 @@ server:
 
   config:
     logLevel: info
+    socketPath: /run/spire/server-sockets/spire-server.sock
     jwtIssuer: oidc-discovery.example.org
 
     ca_subject:
@@ -111,6 +112,7 @@ agent:
 
   config:
     logLevel: info
+    socketPath: /run/spire/agent-sockets/spire-agent.sock
 
 csiDriver:
   image: