Forward stdin to 'cmd'

spiffe-helper was attaching stdout and stderr to the child process launched by 'cmd' but was not attaching stdin. Attach stdin too, so it's possible to pass a pipeline of data to `spiffe-helper` for `cmd` to consume. It can then be used in pipeline or as a co-process to communicate with a `cmd` that requires spiffe-helper to manage certificates. This presents a corner case behaviour change for callers of spiffe-helper. If it is invoked in a context where consuming stdin will have an effect on the caller, and it runs a 'cmd' that can optionally consume from stdin but ignores it if stdin is closed, then this change will cause spiffe-helper invocations to consume from stdin that would otherwise go to the caller. E.g. this contrived bash code echo -n $'a\nb\nc\nd\n' | { spiffe-helper -config some_config.hcl & ; spiffe_helper_pid=$! ; while read -r SOME_VAR ; do echo "Got SOME_VAR: ${SOME_VAR}" ; done } would have previously echoed one line for each of a b c and d. Now, if `spiffe-helper`'s `cmd` configured in `some_config.hcl` consumes stdin if it's attached, it'll instead produce no output (and the unexpectedly connected `stdin` may confuse the `cmd`.) This is an unlikely corner case so this change is being made unconditionally, not gated behind a feature flag or configuration option. If anyone is actually affected by this, they can close the `stdin` file descriptor they pass when invoking `spiffe-helper`, e.g. in bash run `spiffe-helper <&-`.
spiffe · Feb 2, 2025 · 2142636 · 2142636
1 parent 29323c8
commit 2142636
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -38,6 +38,12 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f
  | `jwt_bundle_file_mode`              | The octal file mode to use when saving a JWT Bundle file.                                                                         | `0600`                                                                                                                                                               |
  | `jwt_svid_file_mode`                | The octal file mode to use when saving a JWT SVID file.                                                                           | `0600`                                                                                                                                                               |
 
+**Notes**:
+
+* If `cmd` is specified, spiffe-helper will connect its `stdin`, `stdout` and
+  `stderr` to that of the command it invokes. If this is not desired, close
+  these file descriptors before invoking spiffe-helper.
+
 ### Health Checks Configuration
 SPIFFE Helper can expose and endpoint that can be used for health checking
 

diff --git a/pkg/sidecar/sidecar.go b/pkg/sidecar/sidecar.go
@@ -239,6 +239,20 @@ func (s *Sidecar) signalProcess() error {
 		}
 
 		cmd := exec.Command(s.config.Cmd, cmdArgs...) // #nosec
+		// By attaching stdin we allow spiffe-helper to be used in a
+		// pipeline or as a simple passthrough. Because it consumes the
+		// child process's exit status and restarts the child process
+		// next time it is signalled it can't be use as a transparent
+		// wrapper, but this way we can still send data to the child
+		// process.
+		//
+		// A future enhancement to Run() to launch a child process and
+		// wait for it to complete, then exit with the child process's
+		// exit code would then allow proper use as a wrapper.
+		//
+		// If the caller doesn't want it attached, they can close stdin
+		// before forking spiffe-helper, same as stdout and stderr.
+		cmd.Stdin = os.Stdin
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
 		if err := cmd.Start(); err != nil {