Skip to content

spire: remove init container wait-for-spire-socket #16844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 5, 2025
Merged

spire: remove init container wait-for-spire-socket #16844

merged 1 commit into from
Sep 5, 2025
+0 −42

Conversation

jewertow
Copy link
Member

@jewertow jewertow commented Sep 3, 2025

Description

I believe that the init container wait-for-spire-socket is an obsolete workaround, because Spire CSI driver requires the volume mount to be read-only and it also enforces it internally. I wasn't able to reproduce a scenario where the istio-agent created the socket on its own when spire-agent was not available, because it simply failed on write operation:

2025-09-03T10:12:04.958407Z     error   sds     SDS grpc server for workload proxies failed to set up UDS: failed to remove unix://var/run/secrets/workload-spiffe-uds/socket: remove var/run/secrets/workload-spiffe-uds/socket: read-only file system
2025-09-03T10:12:20.959464Z     warn    sds     SDS grpc server could not be started

So I think it does not make any sense to still keep this workaround in the documentation.

Alternatively, we might document the following configuration as a replacement:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
spec:
  profile: default
  meshConfig:
    trustDomain: example.org
    defaultConfig:
       proxyMetadata:
         WORKLOAD_IDENTITY_SOCKET_FILE: "spire-agent.sock"
  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
        label:
          istio: ingressgateway
        k8s:
          overlays:
            - apiVersion: apps/v1
              kind: Deployment
              name: istio-ingressgateway
              patches:
                - path: spec.template.spec.volumes.[name:workload-socket]
                  value:
                    name: workload-socket
                    csi:
                      driver: "csi.spiffe.io"
                      readOnly: true
                - path: spec.template.spec.containers.[name:istio-proxy].volumeMounts.[name:workload-socket]
                  value:
                    name: workload-socket
                    mountPath: "/run/secrets/workload-spiffe-uds"
                    readOnly: true

The WORKLOAD_IDENTITY_SOCKET_FILE ensures that istio-agent will always wait for the SDS socket, instead of trying to create it on its own. That socket name is used by spire-agent by default, so users don't need to customize spire installation to make it work.

Reviewers

  • Ambient
  • Docs
  • Installation
  • Networking
  • Performance and Scalability
  • Extensions and Telemetry
  • Security
  • Test and Release
  • User Experience
  • Developer Infrastructure
  • Localization/Translation

@jewertow jewertow requested a review from a team as a code owner September 3, 2025 11:32
@istio-testing istio-testing added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Sep 3, 2025
@jewertow jewertow requested a review from jaellio September 3, 2025 11:32
@jewertow jewertow force-pushed the remove-wait-for-spire-socket branch from d20bc8a to 35aea2e Compare September 5, 2025 09:19
@jewertow
Copy link
Member Author

jewertow commented Sep 5, 2025

/test lint

@jewertow
Copy link
Member Author

jewertow commented Sep 5, 2025

make lint is not idempotent, because it does not fail in my other PR, and the errors are not related to spire at all.

@jewertow
Copy link
Member Author

jewertow commented Sep 5, 2025

/test lint

1 similar comment
@jewertow
Copy link
Member Author

jewertow commented Sep 5, 2025

/test lint

@istio-testing istio-testing merged commit 23736bc into istio:master Sep 5, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhawton dhawton dhawton approved these changes

@jaellio jaellio Awaiting requested review from jaellio

Assignees
No one assigned
Labels
area/environments area/security size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jewertow @dhawton @istio-testing @istio-policy-bot