Merge pull request #1 from amartinezfayo/generalize-envoy-support

Make the Sidecar generic

README.md

@@ -1,3 +1,36 @@
 # SPIRE Sidecar
 
-The SPIRE sidecar is a simple utility for fetching certificates from the SPIRE Workload API and signaling Ghostunnel to reload them.
+The SPIRE Sidecar is a simple utility for fetching X.509 SVID certificates from the SPIRE Workload API, launch a process that makes use of the certificates and continuosly get new certificates before they expire. The launched process is signaled to reload the certificates when is needed.
+
+### Usage
+`$ sidecar -config <config_file>`
+
+`<config_file>`: file path to the configuration file.
+
+If `-config` is not specified, the default value `sidecar_config.hcl` is assumed. 
+
+### Configuration
+The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted file that defines the following configurations:
+
+ |Configuration        | Description                                                                                    | Example Value |
+ |---------------------|------------------------------------------------------------------------------------------------| ------------- |
+ |`agentAddress`       | Socket address of SPIRE Agent.                                                                 | `"/tmp/agent.sock"`                                                                                                                                                  |
+ |`cmd`                | The path to the process to launch.                                                             | `"ghostunnel"`                                                                                                                                                       |
+ |`cmdArgs`            | The arguments of the process to launch.                                                        | `"server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"` |
+ |`certDir`            | Directory name to store the fetched certificates. This directory must be created previously.   | `"certs"`                                                                                                                                                            |
+ |`renewSignal`        | The signal that the process to be launched expects to reload the certificates.                 | `"SIGUSR1"`                                                                                                                                                          |
+ |`svidFileName`       | File name to be used to store the X.509 SVID public certificate in PEM format.                 | `"svid.pem"`                                                                                                                                                         |
+ |`svidKeyFileName`    | File name to be used to store the X.509 SVID private key and public certificate in PEM format. | `"svid_key.pem"`                                                                                                                                                     |
+ |`svidBundleFileName` | File name to be used to store the X.509 SVID Bundle in PEM format.                             | `"svid_bundle.pem"`                                                                                                                                                  |
+
+#### Configuration example
+```
+agentAddress = "/tmp/agent.sock"
+cmd = "ghostunnel"
+cmdArgs = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"
+certDir = "certs"
+renewSignal = "SIGUSR1"
+svidFileName = "svid.pem"
+svidKeyFileName = "svid_key.pem"
+svidBundleFileName = "svid_bundle.pem"
+```

config.go

@@ -8,10 +8,14 @@ import (
 
 // SidecarConfig is HCL config data
 type SidecarConfig struct {
-	AgentAddress   string `hcl:"agentAddress"`
-	GhostunnelCmd  string `hcl:"ghostunnelCmd"`
-	GhostunnelArgs string `hcl:"ghostunnelArgs"`
-	CertDir        string `hcl:"certDir"`
+	AgentAddress       string `hcl:"agentAddress"`
+	Cmd                string `hcl:"cmd"`
+	CmdArgs            string `hcl:"cmdArgs"`
+	CertDir            string `hcl:"certDir"`
+	SvidFileName       string `hcl:"svidFileName"`
+	SvidKeyFileName    string `hcl:"svidKeyFileName"`
+	SvidBundleFileName string `hcl:"svidBundleFileName"`
+	RenewSignal        string `hcl:"renewSignal"`
 }
 
 // ParseConfig parses the given HCL file into a SidecarConfig struct
@@ -36,5 +40,5 @@ func ParseConfig(file string) (sidecarConfig *SidecarConfig, err error) {
 		return nil, err
 	}
 
-	return
+	return sidecarConfig, nil
 }

glide.yaml

@@ -1,15 +1,6 @@
 package: github.com/spiffe/sidecar
 import:
-- package: github.com/golang/protobuf
-  subpackages:
-  - proto
 - package: github.com/hashicorp/hcl
-- package: golang.org/x/net
-  subpackages:
-  - context
 - package: google.golang.org/grpc
   version: ^1.6.0
-testImport:
-- package: github.com/spiffe/spiffe-example
-  subpackages:
-  - rosemary/build/tools/sidecar/wlapi
+- package: github.com/spiffe/spire/proto/api/workload

main.go

@@ -2,35 +2,40 @@ package main
 
 import (
 	"context"
+	"flag"
+	"fmt"
 	"net"
 	"time"
 
-	workload "github.com/spiffe/sidecar/wlapi"
+	"github.com/spiffe/spire/proto/api/workload"
 	"google.golang.org/grpc"
 )
 
-const (
-	configFile = "sidecar_config.hcl"
-)
-
 func main() {
 	// 0. Load configuration
 	// 1. Request certs using Workload API
 	// 2. Put cert on disk
-	// 3. Start ghostunnel if not running, otherwise send SIGUSR1 to reload cert
-	// 4. Wait until TTL expires
+	// 3. Start the specified process if it is not running, otherwise send the configured signal to renew the certificates
+	// 4. Wait until TTL/2
 	// 5. Goto 1
 
-	config, err := ParseConfig(configFile)
+	configFile := flag.String("config", "sidecar_config.hcl", "<configFile> Configuration file path")
+	flag.Parse()
+
+	config, err := ParseConfig(*configFile)
 	if err != nil {
-		panic(err)
+		panic(fmt.Errorf("error parsing configuration file: %v\n%v", *configFile, err))
 	}
 	log("Sidecar is up! Will use agent at %s\n\n", config.AgentAddress)
+	if config.Cmd == "" {
+		log("Warning: no cmd defined to execute.\n")
+	}
+	log("Using configuration file: %v\n", *configFile)
 
 	workloadClient, ctx, cancel, err := createGrpcClient(config)
 	defer cancel()
 	if err != nil {
-		panic(err)
+		panic(fmt.Errorf("error creating GRPC client.\n%v", err))
 	}
 
 	sidecar := NewSidecar(ctx, config, workloadClient)
@@ -53,5 +58,5 @@ func createGrpcClient(config *SidecarConfig) (workloadClient workload.WorkloadCl
 
 	workloadClient = workload.NewWorkloadClient(conn)
 
-	return
+	return workloadClient, ctx, cancel, err
 }