Skip to content

Enable use of spiffe-helper as a wrapper around another command in a pipeline #249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ringerc opened this issue Feb 2, 2025 · 1 comment
Open

Enable use of spiffe-helper as a wrapper around another command in a pipeline #249

ringerc opened this issue Feb 2, 2025 · 1 comment

Comments

@ringerc
Copy link
Contributor

ringerc commented Feb 2, 2025

As noted in #245 (comment), presently it's difficult to use spiffe-helper to wrap another command, because:

  • it doesn't forward its stdin to the command it runs (addressed by Forward spiffe-helper's stdin to the 'cmd' invoked in daemon_mode #245)
  • it doesn't write the child command's pid anywhere, so there's no easy way to reliably identify and signal the wrapped process
  • it doesn't forward signals to the child process
  • it uses a stringified argument list when invoking the child process, which is difficult to reliably and correctly escape for all argument variations, instead of using an array argument-vector or a CLI wrapper style like spiffe-helper -config-file config.hcl -- mycommand "arguments go" "here"
  • it doesn't forward other open file descriptors if custom additional FDs are passed when it is invoked

It would be quite helpful to be able to replace commands in a pipeline with spiffe-helper wrappers around them in much the same way one can wrap a command with sudo, fluent-bit's exec plugin, or various other helpers.

This would require forwarding stdin the process to wrap, and would require spiffe-helper to support running in a one-shot mode where it exits when the child command exits, propagating the exit signal of the child process.

Such wrapping cannot easily be made perfect; in particular the unix interface for processes provides no way for a process to exit with "exited with signal" without actually signalling itself, so if the child process exits with a fatal signal it's not easy or clean to have spiffe-helper exit with the same status. But we can adopt the unix shell's convention here, by using exit codes <126 for normal exits, and encoding signal exits in codes >=128.

I did some work on this feature already, which can be found in my working branch here: https://github.com/ringerc/spiffe-helper-PRs/tree/wip-omnibus-wrapper-mode and my notes here: #245 (comment) . I'll return to if I get time, but expect to focus on improving the ability to use spiffe-helper as a co-process helper instead of a wrapper first.
@ringerc ringerc mentioned this issue Feb 2, 2025
Merged
@kfox1111
Copy link
Contributor

maybe we do it with an arg similar to the way kubectl does it?
kubectl exec -it foo -- bash -c 'echo hello'

Everything after a -- is treated as the command / args to run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ringerc @kfox1111