SLIM Controller Southbound API Does Not Start with SPIRE mTLS #1034
Description
Status: Open
Discovered: December 6, 2025
Component: SLIM Control Plane
Severity: High
Summary
When enabling SPIRE mTLS on the SLIM controller via the Helm chart, the southbound API service fails to start. The northbound API starts successfully, but no southbound listener is created, causing SLIM nodes to fail to connect.
Steps to Reproduce
-
Deploy SPIRE server and agents:
./scripts/spire.sh install
-
Register SLIM workloads with SPIRE:
./scripts/spire.sh register-slim
-
Install SLIM controller with SPIRE enabled:
SPIRE_ENABLED=true ./scripts/slim-controller.sh install
Or manually via Helm:
helm install slim-controller slim-control-plane-v0.7.0.tgz \ -n lumuscar-jobs \ --set config.database.filePath="/db/controlplane.db" \ --set spire.enabled=true \ --set spire.agentSocketPath="unix:///run/spire/agent-sockets/spire-agent.sock" \ --set config.southbound.tls.useSpiffe=true \ --set config.southbound.spire.socketPath="unix:///run/spire/agent-sockets/spire-agent.sock"
-
Install SLIM node with SPIRE enabled:
SPIRE_ENABLED=true ./scripts/slim-node.sh install
-
Check controller logs:
kubectl logs -n lumuscar-jobs -l app.kubernetes.io/name=slim-control-plane
Expected Behavior
Controller starts both APIs:
- Northbound API on port 50051
- Southbound API on port 50052 with mTLS via SPIRE
Actual Behavior
- Controller logs only show:
Northbound API Service is listening on [::]:50051 - Southbound service never starts (no log entry)
- No error messages indicating why southbound failed
- SLIM node connection attempts fail with:
connecting to control plane config.endpoint=https://slim-control:50052 Connection attempt: #1 failed: status: 'The service is currently unavailable', self: "tcp connect error" Connection attempt: #2 failed: status: 'The service is currently unavailable', self: "tcp connect error" ...
Controller Configuration (from ConfigMap)
database:
filePath: /db/controlplane.db
logging:
level: DEBUG
northbound:
httpHost: 0.0.0.0
httpPort: '50051'
reconciler:
maxNumOfParallelReconciles: 1000
maxRequeues: 15
southbound:
httpHost: 0.0.0.0
httpPort: '50052'
spire:
socketPath: unix:///run/spire/agent-sockets/spire-agent.sock
tls:
useSpiffe: trueEnvironment
| Component | Version |
|---|---|
| SLIM Control Plane Helm Chart | v0.7.0 |
| SLIM Node Helm Chart | v0.7.0 |
| SPIRE Server/Agent | v1.13.2 |
| SPIRE Helm Chart | v0.27.1 |
| Kubernetes | MicroK8s |
| Trust Domain | example.org |
Verification Performed
- ✅ SPIRE server running (1 pod)
- ✅ SPIRE agents running on all nodes (6 pods via DaemonSet)
- ✅ SPIRE socket mounted in controller pod at
/run/spire/agent-sockets/ - ✅ Workload entries registered for
slim-controlandslimservice accounts:spiffe://example.org/slim/controller -> k8s:sa:slim-control spiffe://example.org/slim/node -> k8s:sa:slim - ✅ Insecure mode works correctly - controller and node connect successfully
Controller Pod Volume Mounts
volumeMounts:
- mountPath: /config.yaml
name: config-volume
subPath: config.yaml
- mountPath: /run/spire/agent-sockets
name: spire-agent-socket
- mountPath: /db
name: db-storage
volumes:
- hostPath:
path: /run/spire/agent-sockets
type: Directory
name: spire-agent-socketWorkaround
Use insecure mode until this issue is resolved:
# Deploy without SPIRE (works)
./scripts/slim-controller.sh install
./scripts/slim-node.sh installRelated
- SLIM Repository: https://github.com/agntcy/slim
- feat(tourist_scheduling): ADK migration, SLIM transport, OASF records agentic-apps#86
Metadata
Metadata
Labels
No labels
Type
Projects
Status