Server 1.10.0+ crashes when deployed with eks example

[vassilvk]

• Version: 1.10.0
• Platform: Kubernetes (EKS)
• Subsystem: server

Deploying SPIRE server using the EKS deployment example, works up to version 1.9.6.

Switching the server (and agent) image to 1.10.0 or above (I tested up to 1.11.0), leads to spire-server going into a crash loop backoff issuing the following message:

time="2024-11-26T22:36:32Z" level=error msg="Server crashed" error="datastore-sql: unable to open database file: no such file or directory"

Note on persistence: I performed all version deployments against empty namespaces with no pre-existing PVCs or volumes.

[amartinezfayo]

This seems to be an issue in the configuration of the example, not an issue in SPIRE itself.
It's probably a permission problem due to the changes to run SPIRE as not root.
This example is using the k8s_sat node attestor, which is deprecated. We should also update it to use k8s_psat instead.

[sorindumitru]

@vassilvk would you mind testing again with the latest changes? We've replaced the use of k8s_sat with k8s_psat. If that doesn't work, could you also try specifying:

securityContext:
  fsGroup: 1000

on the spire-server pods? I think that should make volume mounts be owned by the same group as the one spire-server is running.