@@ -17,6 +17,7 @@ import (
1717// fails to fetch the JWT SVID, it deletes its own pod in order to force the pod to be restarted by its
1818// owner (e.g. a deployment controller).
1919type SpiffeJWT struct {
20+ DaemonMode bool `env:"DAEMON_MODE" help:"Run in daemon mode." default:"true"`
2021 HealthPort string `env:"HEALTH_PORT" help:"Port to listen for health checks." default:"8080"`
2122 JWTAudience string `env:"JWT_AUDIENCE" help:"Audience of the JWT." required:""`
2223 JWTFileName string `env:"JWT_FILE_NAME" help:"Name of the file to write the JWT SVID to." required:""`
@@ -29,24 +30,28 @@ func main() {
2930
3031 s := & SpiffeJWT {}
3132 kong .Parse (s )
32- go s .run ()
33- s .startHealthServer ()
34-
33+ if s .DaemonMode {
34+ logrus .Info ("Running in daemon mode" )
35+ go s .run ()
36+ s .startHealthServer ()
37+ } else {
38+ logrus .Info ("Running in one-shot mode" )
39+ jwt , err := s .fetchAndWriteJWTSVID ()
40+ if err != nil {
41+ logrus .WithError (err ).Fatal ("unable to fetch or write JWT SVID, shutting down" )
42+ }
43+ logrus .Info ("JWT SVID fetched and written, it expires in %s" , time .Until (jwt .Expiry ))
44+ }
3545}
3646
3747// run is the main loop of SpiffeJWT. It fetches a JWT SVID from the SPIFFE agent,
3848// writes it to a file and refreshes it periodically.
3949func (s * SpiffeJWT ) run () {
40- // Initial fetch of the JWT SVID
41- jwt , err := s .fetchJWTSVID ()
42- if err != nil {
43- logrus .WithError (err ).Fatal ("unable to fetch JWT SVID, shutting down" )
44- }
4550
46- // Write the JWT SVID to the configured file
47- err = s .writeJWTSVID (jwt )
51+ jwt , err := s .fetchAndWriteJWTSVID ()
4852 if err != nil {
49- logrus .WithError (err ).Fatal ("unable to write JWT SVID to file, shuting down" )
53+ logrus .WithError (err ).Fatal ("unable to fetch or write JWT SVID, shutting down" )
54+ return
5055 }
5156
5257 // Indicate that spiffe-jwt-svid has received it's first JWT SVID (for start probe)
@@ -62,16 +67,11 @@ func (s *SpiffeJWT) run() {
6267 select {
6368 // wait for the ticker to fire
6469 case <- ticker .C :
65- jwt , err := s .fetchJWTSVID ()
66- if err != nil {
67- logrus .WithError (err ).Fatal ("unable to fetch JWT SVID, shutting down" )
68- return
69- }
7070
71- // Write the JWT SVID to the configured file
72- err = s .writeJWTSVID (jwt )
71+ jwt , err := s .fetchAndWriteJWTSVID ()
7372 if err != nil {
74- logrus .WithError (err ).Fatal ("unable to write JWT SVID to file, shuting down" )
73+ logrus .WithError (err ).Fatal ("unable to fetch or write JWT SVID, shutting down" )
74+ return
7575 }
7676
7777 intv := s .getRefreshInterval (jwt )
@@ -81,6 +81,26 @@ func (s *SpiffeJWT) run() {
8181 }
8282}
8383
84+ // fetchAndWriteJWTSVID fetches a JWT SVID from the SPIFFE agent and writes it to a file
85+ func (s * SpiffeJWT ) fetchAndWriteJWTSVID () (* jwtsvid.SVID , error ) {
86+ // Initial fetch of the JWT SVID
87+ jwt , err := s .fetchJWTSVID ()
88+ if err != nil {
89+ logrus .WithError (err ).Error ("unable to fetch JWT SVID, shutting down" )
90+ return nil , err
91+ }
92+
93+ // Write the JWT SVID to the configured file
94+ err = s .writeJWTSVID (jwt )
95+ if err != nil {
96+ logrus .WithError (err ).Error ("unable to write JWT SVID to file, shuting down" )
97+ return nil , err
98+ }
99+
100+ return jwt , nil
101+
102+ }
103+
84104// fetchJWTSVID fetches a JWT SVID from the SPIFFE agent
85105func (s * SpiffeJWT ) fetchJWTSVID () (* jwtsvid.SVID , error ) {
86106 adr := workloadapi .WithAddr ("unix://" + s .SpiffeAgentSocket )
@@ -105,6 +125,7 @@ func (s *SpiffeJWT) fetchJWTSVID() (*jwtsvid.SVID, error) {
105125 return jwt , nil
106126}
107127
128+ // writeJWTSVID writes a JWT SVID to a file
108129func (s * SpiffeJWT ) writeJWTSVID (jwt * jwtsvid.SVID ) error {
109130 err := os .WriteFile (s .JWTFileName , []byte (jwt .Marshal ()), 0644 )
110131 if err != nil {
0 commit comments