Enable use of spiffe-helper as a wrapper around another command in a pipeline #249
Description
As noted in #245 (comment), presently it's difficult to use spiffe-helper to wrap another command, because:
- it doesn't forward its stdin to the command it runs (addressed by Forward spiffe-helper's stdin to the 'cmd' invoked in daemon_mode #245)
- it doesn't write the child command's pid anywhere, so there's no easy way to reliably identify and signal the wrapped process
- it doesn't forward signals to the child process
- it uses a stringified argument list when invoking the child process, which is difficult to reliably and correctly escape for all argument variations, instead of using an array argument-vector or a CLI wrapper style like
spiffe-helper -config-file config.hcl -- mycommand "arguments go" "here" - it doesn't forward other open file descriptors if custom additional FDs are passed when it is invoked
It would be quite helpful to be able to replace commands in a pipeline with spiffe-helper wrappers around them in much the same way one can wrap a command with sudo, fluent-bit's exec plugin, or various other helpers.
This would require forwarding stdin the process to wrap, and would require spiffe-helper to support running in a one-shot mode where it exits when the child command exits, propagating the exit signal of the child process.
Such wrapping cannot easily be made perfect; in particular the unix interface for processes provides no way for a process to exit with "exited with signal" without actually signalling itself, so if the child process exits with a fatal signal it's not easy or clean to have spiffe-helper exit with the same status. But we can adopt the unix shell's convention here, by using exit codes <126 for normal exits, and encoding signal exits in codes >=128.
I did some work on this feature already, which can be found in my working branch here: https://github.com/ringerc/spiffe-helper-PRs/tree/wip-omnibus-wrapper-mode and my notes here: #245 (comment) . I'll return to if I get time, but expect to focus on improving the ability to use spiffe-helper as a co-process helper instead of a wrapper first.