Add configurable socketPath for spire-agent

Signed-off-by: Marco Franssen <[email protected]>
philips-labs · Nov 15, 2022 · 63c2029 · 63c2029
1 parent cccc2f9
commit 63c2029
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 10 deletions.
diff --git a/cmd/spiffe-vault/cli/auth.go b/cmd/spiffe-vault/cli/auth.go
@@ -13,13 +13,20 @@ import (
 	"github.com/philips-labs/spiffe-vault/pkg/vault"
 )
 
+const (
+	defaultAudience   = "CI"
+	defaultAuthPath   = "jwt"
+	defaultSocketPath = "unix:///spiffe-workload-api/spire-agent.sock"
+)
+
 // Auth creates an instance of *ffcli.Command to authenticate with vault using Spiffe
 func Auth() *ffcli.Command {
 	var (
-		flagset  = flag.NewFlagSet("spiffe-vault version", flag.ExitOnError)
-		authPath = flagset.String("authPath", "jwt", "the authentication path in Vault (default: jwt)")
-		role     = flagset.String("role", "", "the role to authenticate with against Vault")
-		audience = flagset.String("audience", "CI", "the bound audience to verify in the claims")
+		flagset    = flag.NewFlagSet("spiffe-vault version", flag.ExitOnError)
+		socketPath = flagset.String("socketPath", defaultSocketPath, fmt.Sprintf("the unix socket path to the spire-agent (default: %s).", defaultSocketPath))
+		authPath   = flagset.String("authPath", defaultAuthPath, fmt.Sprintf("the authentication path in Vault (default: %s)", defaultAuthPath))
+		role       = flagset.String("role", "", "the role to authenticate with against Vault")
+		audience   = flagset.String("audience", defaultAudience, fmt.Sprintf("the bound audience to verify in the claims (default: %s)", defaultAudience))
 	)
 	return &ffcli.Command{
 		Name:    "auth",
@@ -33,10 +40,14 @@ func Auth() *ffcli.Command {
 				return fmt.Errorf("authPath flag required")
 			}
 
+			if *socketPath == "" {
+				return fmt.Errorf("socketPath flag required")
+			}
+
 			ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
 			defer cancel()
 
-			jwt, err := spiffe.FetchJWT(ctx, *audience)
+			jwt, err := spiffe.FetchJWT(ctx, *socketPath, *audience)
 			if err != nil {
 				return err
 			}

diff --git a/pkg/spiffe/spiffe.go b/pkg/spiffe/spiffe.go
@@ -8,12 +8,8 @@ import (
 	"github.com/spiffe/go-spiffe/v2/workloadapi"
 )
 
-const (
-	socketPath = "unix:///var/run/spire/sockets/agent.sock"
-)
-
 // FetchJWT retrieves a JWT SVID upon successfull attestation
-func FetchJWT(ctx context.Context, audience string) (string, error) {
+func FetchJWT(ctx context.Context, socketPath, audience string) (string, error) {
 	clientOptions := workloadapi.WithClientOptions(workloadapi.WithAddr(socketPath))
 
 	jwtSource, err := workloadapi.NewJWTSource(ctx, clientOptions)