-
Notifications
You must be signed in to change notification settings - Fork 376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support for using unix socket for gRPC #552
Conversation
b56d0ae
to
5aaa41a
Compare
Thank you @kkourt ! Could you please add an explicit chmod fix to the socket 0700 after it is created, so we don't rely on any lib... |
I don't think it's a good idea to assume what permissions users want. I was thinking users can just define a proper |
We should be safe by default, so doing it the other way is better: have proper permission fix after it is created, then document users if they want to expose it : |
I don't think we should expect users to PTAL. |
02c69a2
to
6833fd2
Compare
Now we can provide unix://abosolute_path arguments to both the client (tetra) and the agent (tetragon). Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
Up until now, configuring gRPC listen address for the agent via the helm chart used two variables grpc.port and grpc.address. The previous patch added support for passing a unix socket address to the agent, which does not match well the grpc.address:grpc.port configuration. This patch removes the grpc.port helm variable, and, instead, relies only on grpc.address for configuration. Users can use "localhost:54321", ":54321", or "unix:///var/run/tetragon/tetragon.sock" to configure the gRPC address that the agent listens to. Furthermore, the livenessProbe of the agent relies on checking health status via the gRPC interface via the CLI (tetra status). This patch also fixes the livenessProbe so that: - it is only defined, if grpc is enabled - the proper gRPC address is used to contact the agent Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
This patch ensures that the control unix socket for the agent has 0660 file permissions. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
6833fd2
to
0d7f811
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! unix socket files should behave like normal files.. maybe a test for the ListenWithRename to stat ensure that socket is created with the right mode... up to you!
This PR adds support for using a unix socket for the gRPC agent interface.