support for using unix socket for gRPC #552
Conversation
kkourt
force-pushed
the
pr/kkourt/unix-socket
branch
from
b56d0ae
to
5aaa41a
Compare
|
Thank you @kkourt ! Could you please add an explicit chmod fix to the socket 0700 after it is created, so we don't rely on any lib... |
I don't think it's a good idea to assume what permissions users want. I was thinking users can just define a proper |
We should be safe by default, so doing it the other way is better: have proper permission fix after it is created, then document users if they want to expose it : |
I don't think we should expect users to PTAL. |
kkourt
force-pushed
the
pr/kkourt/unix-socket
branch
from
02c69a2
to
6833fd2
Compare
Now we can provide unix://abosolute_path arguments to both the client (tetra) and the agent (tetragon). Signed-off-by: Kornilios Kourtis <[email protected]>
Up until now, configuring gRPC listen address for the agent via the helm chart used two variables grpc.port and grpc.address. The previous patch added support for passing a unix socket address to the agent, which does not match well the grpc.address:grpc.port configuration. This patch removes the grpc.port helm variable, and, instead, relies only on grpc.address for configuration. Users can use "localhost:54321", ":54321", or "unix:///var/run/tetragon/tetragon.sock" to configure the gRPC address that the agent listens to. Furthermore, the livenessProbe of the agent relies on checking health status via the gRPC interface via the CLI (tetra status). This patch also fixes the livenessProbe so that: - it is only defined, if grpc is enabled - the proper gRPC address is used to contact the agent Signed-off-by: Kornilios Kourtis <[email protected]>
This patch ensures that the control unix socket for the agent has 0660 file permissions. Signed-off-by: Kornilios Kourtis <[email protected]>
kkourt
force-pushed
the
pr/kkourt/unix-socket
branch
from
6833fd2
to
0d7f811
Compare
This PR adds support for using a unix socket for the gRPC agent interface.