spiffe · MarcosDY · Jul 17, 2023 · Jul 5, 2023 · Jul 5, 2023 · Jul 6, 2023
@@ -18,32 +18,33 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f
 
  |Configuration        | Description                                                                                    | Example Value |
  |--------------------------|------------------------------------------------------------------------------------------------| ------------- |
- |`agentAddress`            | Socket address of SPIRE Agent.                                                                                 | `"/tmp/agent.sock"`                                                                                                                                                  |
+ |`agent_address`            | Socket address of SPIRE Agent.                                                                                 | `"/tmp/agent.sock"`                                                                                                                                                  |
  |`cmd`                     | The path to the process to launch.                                                                             | `"ghostunnel"`                                                                                                                                                       |
- |`cmdArgs`                 | The arguments of the process to launch.                                                                        | `"server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"` |
- |`certDir`                 | Directory name to store the fetched certificates. This directory must be created previously.                   | `"certs"`                                                                                                                                                            |
- |`addIntermediatesToBundle`| Add intermediate certificates into Bundle file instead of SVID file.                                           | `true`                                                                                                                                                            |
- |`renewSignal`             | The signal that the process to be launched expects to reload the certificates. It is not supported on Windows. | `"SIGUSR1"`                                                                                                                                                          |
- |`svidFileName`            | File name to be used to store the X.509 SVID public certificate in PEM format.                                 | `"svid.pem"`                                                                                                                                                         |
- |`svidKeyFileName`         | File name to be used to store the X.509 SVID private key and public certificate in PEM format.                 | `"svid_key.pem"`                                                                                                                                                     |
- |`svidBundleFileName`      | File name to be used to store the X.509 SVID Bundle in PEM format.                                             | `"svid_bundle.pem"`                                                                                                                                                  |
+ |`cmd_args`                 | The arguments of the process to launch.                                                                        | `"server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"` |
+ |`cert_dir`                 | Directory name to store the fetched certificates. This directory must be created previously.                   | `"certs"`                                                                                                                                                            |
+ |`add_intermediates_to_bundle`| Add intermediate certificates into Bundle file instead of SVID file.                                           | `true`                                                                                                                                                            |
+ |`renew_signal`             | The signal that the process to be launched expects to reload the certificates. It is not supported on Windows. | `"SIGUSR1"`                                                                                                                                                          |
+ |`svid_file_name`            | File name to be used to store the X.509 SVID public certificate in PEM format.                                 | `"svid.pem"`                                                                                                                                                         |
+ |`svid_key_file_name`         | File name to be used to store the X.509 SVID private key and public certificate in PEM format.                 | `"svid_key.pem"`                                                                                                                                                     |
+ |`svid_bundle_file_name`      | File name to be used to store the X.509 SVID Bundle in PEM format.                                             | `"svid_bundle.pem"`                                                                                                                                                  |
 
 ### Configuration example
 ```
-agentAddress = "/tmp/agent.sock"
+agent_address = "/tmp/agent.sock"
 cmd = "ghostunnel"
-cmdArgs = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"
-certDir = "certs"
-renewSignal = "SIGUSR1"
-svidFileName = "svid.pem"
-svidKeyFileName = "svid_key.pem"
-svidBundleFileName = "svid_bundle.pem"
+cmd_args = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"
+cert_dir = "certs"
+renew_signal = "SIGUSR1"
+svid_file_name = "svid.pem"
+svid_key_file_name = "svid_key.pem"
+svid_bundle_file_name = "svid_bundle.pem"
 ```
 
 ### Windows example
-
-agentAddress = "spire-agent\\public\\api"
-certDir = "certs"
-svidFileName = "svid.pem"
-svidKeyFileName = "svid_key.pem"
-svidBundleFileName = "svid_bundle.pem"
+```
+agent_address = "spire-agent\\public\\api"
+cert_dir = "certs"
+svid_file_name = "svid.pem"
+svid_key_file_name = "svid_key.pem"
+svid_bundle_file_name = "svid_bundle.pem"
+```
@@ -1,19 +1,19 @@
 # SPIRE agent unix socket path
-agentAddress = "/tmp/spire-agent/public/api.sock"
+agent_address = "/tmp/spire-agent/public/api.sock"
 
 # psql binary path
 cmd = "/usr/sbin/mosquitto"
 
 # Query for configuration reloading
-cmdArgs = "-c ./examples/mosquitto/mosquitto.conf"
+cmd_args = "-c ./examples/mosquitto/mosquitto.conf"
 
 # Directory to store certificates (must match with the ssl setings in postgresql.conf)
-certDir = "/opt/spire/certs/mosquitto"
+cert_dir = "/opt/spire/certs/mosquitto"
 
 # No renew signal is used in this example
-renewSignal = "SIGHUP"
+renew_signal = "SIGHUP"
 
 # Certificate, key and bundle names must match those configured in mosquitto.conf
-svidFileName = "svid.pem"
-svidKeyFileName = "svid.key"
-svidBundleFileName = "svid_bundle.pem"
+svid_file_name = "svid.pem"
+svid_key_file_name = "svid.key"
+svid_bundle_file_name = "svid_bundle.pem"
@@ -1,23 +1,23 @@
 # SPIRE agent unix socket path
-agentAddress = "/tmp/agent.sock"
+agent_address = "/tmp/agent.sock"
 
 # mysql binary path
 cmd = "/usr/bin/mysql"
 
 # Query for configuration reloading
-cmdArgs = "-e \"ALTER INSTANCE RELOAD TLS;\""
+cmd_args = "-e \"ALTER INSTANCE RELOAD TLS;\""
 
 # No renew signal is used for this example
-renewSignal = ""
+renew_signal = ""
 
 # Directory where mysql stores the certificates
-certDir = "/var/lib/mysql"
+cert_dir = "/var/lib/mysql"
 
 # Certificate, key and bundle names must match those configured for mysql
-svidFileName = "server-cert.pem"
-svidKeyFileName = "server-key.pem"
-svidBundleFileName = "ca.pem"
+svid_file_name = "server-cert.pem"
+svid_key_file_name = "server-key.pem"
+svid_bundle_file_name = "ca.pem"
 
-# MySQL expect intermediate certificates inside `svidBundleFile` file
-# instead of svidFile
-addIntermediatesToBundle = true
+# MySQL expect intermediate certificates inside `svid_bundle_file` file
+# instead of svid_file
+add_intermediates_to_bundle = true
@@ -19,23 +19,23 @@
 #
 
 # SPIRE agent unix socket path
-agentAddress = "/tmp/agent.sock"
+agent_address = "/tmp/agent.sock"
 
 # psql binary path
 cmd = "/usr/bin/psql"
 
 # Query for configuration reloading
-cmdArgs = "-p 5432 -c \"SELECT pg_reload_conf();\""
+cmd_args = "-p 5432 -c \"SELECT pg_reload_conf();\""
 
 # Directory to store certificates (must match with the ssl setings in postgresql.conf)
-certDir = "/opt/spire/certs/postgresql"
+cert_dir = "/opt/spire/certs/postgresql"
 
 # No renew signal is used in this example
-renewSignal = ""
+renew_signal = ""
 
 # Certificate, key and bundle names must match those configured in postgresql.conf
-svidFileName = "svid.pem"
-svidKeyFileName = "svid.key"
-svidBundleFileName = "svid_bundle.pem"
+svid_file_name = "svid.pem"
+svid_key_file_name = "svid.key"
+svid_bundle_file_name = "svid_bundle.pem"
 
 
@@ -1,12 +1,12 @@
-agentAddress = "/tmp/agent.sock"
+agent_address = "/tmp/agent.sock"
 cmd = ""
-cmdArgs = ""
-certDir = "certs"
-renewSignal = "SIGUSR1"
-svidFileName = "svid.pem"
-svidKeyFileName = "svid_key.pem"
-svidBundleFileName = "svid_bundle.pem"
+cmd_args = ""
+cert_dir = "certs"
+renew_signal = "SIGUSR1"
+svid_file_name = "svid.pem"
+svid_key_file_name = "svid_key.pem"
+svid_bundle_file_name = "svid_bundle.pem"
 # Add CA with intermediates into Bundle file instead of SVID file,
 # it is the expected behavior in some scenarios like MySQL.
 # Default: false
-# addIntermediatesToBundle = false
+# add_intermediates_to_bundle = false
@@ -1,8 +1,8 @@
-agentAddress = "/tmp/agent.sock"
+agent_address = "/tmp/agent.sock"
 cmd = "hot-restarter.py"
-cmdArgs = "start_envoy.sh"
-certDir = "certs"
-renewSignal = "SIGHUP"
-svidFileName = "svid.pem"
-svidKeyFileName = "svid_key.pem"
-svidBundleFileName = "svid_bundle.pem"
+cmd_args = "start_envoy.sh"
+cert_dir = "certs"
+renew_signal = "SIGHUP"
+svid_file_name = "svid.pem"
+svid_key_file_name = "svid_key.pem"
+svid_bundle_file_name = "svid_bundle.pem"
@@ -1,8 +1,8 @@
-agentAddress = "/tmp/agent.sock"
+agent_address = "/tmp/agent.sock"
 cmd = "ghostunnel"
-cmdArgs = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"
-certDir = "certs"
-renewSignal = "SIGUSR1"
-svidFileName = "svid.pem"
-svidKeyFileName = "svid_key.pem"
-svidBundleFileName = "svid_bundle.pem"
+cmd_args = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"
+cert_dir = "certs"
+renew_signal = "SIGUSR1"
+svid_file_name = "svid.pem"
+svid_key_file_name = "svid_key.pem"
+svid_bundle_file_name = "svid_bundle.pem"
@@ -1,11 +1,11 @@
-agentAddress = "spire-agent\\public\\api"
+agent_address = "spire-agent\\public\\api"
 cmd = ""
-cmdArgs = ""
-certDir = "certs"
-svidFileName = "svid.pem"
-svidKeyFileName = "svid_key.pem"
-svidBundleFileName = "svid_bundle.pem"
+cmd_args = ""
+cert_dir = "certs"
+svid_file_name = "svid.pem"
+svid_key_file_name = "svid_key.pem"
+svid_bundle_file_name = "svid_bundle.pem"
 # Add CA with intermediates into Bundle file instead of SVID file,
 # it is the expected behavior in some scenarios like MySQL.
 # Default: false
-# addIntermediatesToBundle = false
+# add_intermediates_to_bundle = false
@@ -115,8 +115,6 @@ func ValidateConfig(c *Config) error {
 	}
 
 	switch {
-	case c.AgentAddress == "":
-		return errors.New("agent_address is required")
 	case c.SvidFileName == "":
 		return errors.New("svid_file_name is required")
 	case c.SvidKeyFileName == "":

@@ -50,15 +50,6 @@ func TestValidateConfig(t *testing.T) {
 				SvidBundleFileName: "bundle.pem",
 			},
 		},
-		{
-			name: "no address",
-			config: &Config{
-				SvidFileName:       "cert.pem",
-				SvidKeyFileName:    "key.pem",
-				SvidBundleFileName: "bundle.pem",
-			},
-			expectError: "agent_address is required",
-		},
 		{
 			name: "no SVID file",
 			config: &Config{

@@ -18,8 +18,9 @@ import (
 )
 
 const (
-	certsFileMode = os.FileMode(0644)
-	keyFileMode   = os.FileMode(0600)
+	certsFileMode       = os.FileMode(0644)
+	keyFileMode         = os.FileMode(0600)
+	defaultAgentAddress = "/tmp/spire-agent/public/api.sock"
 )
 
 // Sidecar is the component that consumes the Workload API and renews certs
@@ -47,7 +48,13 @@ func New(configPath string, log logrus.FieldLogger) (*Sidecar, error) {
 		return nil, fmt.Errorf("invalid configuration: %w", err)
 	}
 
-	// TODO: add default agent socket path
+	if config.AgentAddress == "" {
+		config.AgentAddress = os.Getenv("SPIRE_AGENT_ADDRESS")
+		if config.AgentAddress == "" {
+			config.AgentAddress = defaultAgentAddress
+		}
+	}
+
 	config.Log.WithField("agent_address", config.AgentAddress).Info("Connecting to agent")
 	if config.Cmd == "" {
 		config.Log.Warn("No cmd defined to execute.")

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto"
 	"crypto/x509"
+	"os"
 	"path"
 	"testing"
 	"time"
@@ -191,6 +192,29 @@ func TestSidecar_RunDaemon(t *testing.T) {
 	cancel()
 }
 
+func TestDefaultAgentAddress(t *testing.T) {
+	log, _ := test.NewNullLogger()
+	spiffeSidecar, err := New("../../test/sidecar/config/helper.conf", log)
+	require.NoError(t, err)
+	assert.Equal(t, spiffeSidecar.config.AgentAddress, "/tmp/spire-agent/public/api.sock")
+}
+func TestEnvAgentAddress(t *testing.T) {
+	os.Setenv("SPIRE_AGENT_ADDRESS", "/tmp/agent.sock")
+	log, _ := test.NewNullLogger()
+	spiffeSidecar, err := New("../../test/sidecar/config/helper.conf", log)
+	require.NoError(t, err)
+	assert.Equal(t, spiffeSidecar.config.AgentAddress, "/tmp/agent.sock")
+}
+
+func TestAgentAddress(t *testing.T) {
+	// This test is used to verify that we get the agent_address of the .conf file instead of the ENV value, if we have both
+	os.Setenv("SPIRE_AGENT_ADDRESS", "/tmp/agent.sock")
+	log, _ := test.NewNullLogger()
+	spiffeSidecar, err := New("../../test/sidecar/configWithAddress/helper.conf", log)
+	require.NoError(t, err)
+	assert.Equal(t, spiffeSidecar.config.AgentAddress, "/tmp/spire-agent/public/api.sock")
+}
+
 func TestGetCmdArgs(t *testing.T) {
 	cases := []struct {
 		name         string

@@ -0,0 +1,9 @@
+cmd = "hot-restarter.py"
+cmd_args = "start_envoy.sh"
+cert_dir = "certs"
+renew_signal = "SIGHUP"
+svid_file_name = "svid.pem"
+svid_key_file_name = "svid_key.pem"
+svid_bundle_file_name = "svid_bundle.pem"
+timeout = "10s"
+add_intermediates_to_bundle = true
@@ -0,0 +1,10 @@
+agent_address = "/tmp/spire-agent/public/api.sock"
+cmd = "hot-restarter.py"
+cmd_args = "start_envoy.sh"
+cert_dir = "certs"
+renew_signal = "SIGHUP"
+svid_file_name = "svid.pem"
+svid_key_file_name = "svid_key.pem"
+svid_bundle_file_name = "svid_bundle.pem"
+timeout = "10s"
+add_intermediates_to_bundle = true