Merge pull request #1847 from cybozu/fix-spire

Run spire-agent and spiffe-csi-driver as root and add default "run" subcommand to SPIRE entrypoints

Author: chez-shanpu

maintenance.md

@@ -1097,9 +1097,6 @@ Only the base image and module dependency should be updated.
 > [!Note]
 > The spire-server, spire-agent, and spiffe-csi-driver images should be updated at the same time for consistency.
 
-> [!Note]
-> Upstream runs spire-agent as root for socket sharing in Kubernetes. Our image runs as UID 10000 following neco-containers standards. Adjust SecurityContext in Kubernetes manifests if needed.
-
 ## spire-server
 
 ![Regular Update](./regular_update.svg)

spiffe-csi-driver/Dockerfile

@@ -21,6 +21,4 @@ LABEL org.opencontainers.image.source="https://github.com/cybozu/neco-containers
 COPY --from=build /work/spiffe-csi-driver /usr/local/bin/spiffe-csi-driver
 COPY --from=build /work/spiffe-csi/LICENSE /usr/local/share/doc/spiffe-csi/LICENSE
 
-USER 10000:10000
-
 ENTRYPOINT ["/usr/local/bin/spiffe-csi-driver"]

spiffe-csi-driver/TAG

@@ -1 +1 @@
-0.2.9.1
+0.2.9.2

spire-agent/Dockerfile

@@ -25,6 +25,4 @@ COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certifica
 COPY --from=build /work/spire-agent /usr/local/bin/spire-agent
 COPY --from=build /work/spire/LICENSE /usr/local/share/doc/spire-agent/LICENSE
 
-USER 10000:10000
-
-ENTRYPOINT ["/usr/local/bin/spire-agent"]
+ENTRYPOINT ["/usr/local/bin/spire-agent", "run"]

spire-agent/TAG

@@ -1 +1 @@
-1.14.1.1
+1.14.1.2

spire-server/Dockerfile

@@ -28,4 +28,4 @@ COPY --from=build /work/spire/LICENSE /usr/local/share/doc/spire-server/LICENSE
 USER 10000:10000
 EXPOSE 8081
 
-ENTRYPOINT ["/usr/local/bin/spire-server"]
+ENTRYPOINT ["/usr/local/bin/spire-server", "run"]

spire-server/TAG

@@ -1 +1 @@
-1.14.1.1
+1.14.1.2