-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubernetes Sidecar Usecase #115
Comments
Maybe for a separate issue... To support the new k8s sidecar support in 1.28+, also a health check would be needed. |
for 2, we'd still have to share the pid namespace though. I don't think I understand that usecase |
@nstott I ported the mysql bits to work with the bitnami mysql helm chart here: The problem is, in order to trigger a reload of the certs in mysql, you need a viable mysql client. So you need spire-helper available in the mysql container. I did mange to do some twisty bits with init containers to piece it together at runtime. But its kind of ugly. Instead, if you had shared pids enabled and pid signaling, the sidecar could just contain spiffe-helper and send a signal over to a container sidecar that has the mysql client ready to go to adapt the pid signal to a mysql reload certs sql command. I've prototyped that using the pid pr and a prototype CSI driver for spiffe-helper to make it possible to do this kind of thing: That example actually works and signals nginx to properly reload when the certs get updated. |
A usecase I'm now looking at is if you have |
I thought a restartPolicy was ignored when its in a terminating state? But, if thats not the case, maybe a preStop hook would help |
I think I mis-stated the scenario. The What we'd want in this scenario is after the main container exits successfully, the sidecar knows it needs to exit too. https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase |
It would be great if spiffe-helper could be used as a sidecar under Kubernetes.
This would require two different modes of operation to function well.
This would run as a k8s initContainer and ensure initial cert/key/ca creation before the workload starts.
A container image would also be needed. Requested here: #107
The text was updated successfully, but these errors were encountered: