This repository has been archived by the owner on Mar 22, 2024. It is now read-only.
Adding quick-start example #476
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com>
Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com>
Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com>
cccsss01
requested review from
marcofranssen,
kfox1111,
developer-guy,
dfeldman,
faisal-memon,
mrsabath and
edwbuck
as code owners
kfox1111
reviewed
Sep 5, 2023
|
|
||
| # Obtain the Required Files | ||
|
|
||
| This guide requires a number of **.yaml** files. To obtain this directory of files clone **https://github.com/spiffe/spire-tutorials** and obtain the **.yaml** files from the **spire-tutorials/k8s/quickstart-helm** subdirectory. Remember to run all kubectl commands in the directory in which those files reside. |
There was a problem hiding this comment.
This I think isn't true anymore when in the helm-charts repo?
Comment on lines
+54
to
+60
| In order to enable SPIRE to perform workload attestation -- which allows the agent to identify the workload to attest to its agent -- you must register the workload in the server. This tells SPIRE how to identify the workload and which SPIFFE ID to give it. | ||
|
|
||
| 1. Create a new registration entry for the node, specifying the SPIFFE ID to allocate to the node: | ||
| > **Note** change -selector k8s_sat:cluster:demo-cluster to your cluster name | ||
|
|
||
| ```shell | ||
| $ kubectl exec -n spire spire-server-0 -- \ |
There was a problem hiding this comment.
The controller-manager provided with the chart will automatically do this. Its the recommended way.
| In this section, you configure a workload container to access SPIRE. Specifically, you are configuring the workload container to access the Workload API UNIX domain socket. | ||
|
|
||
| The **client-deployment.yaml** file configures a no-op container using the **spire-k8s** docker image used for the server and agent. Examine the `volumeMounts` and `volumes configuration` stanzas to see how the UNIX domain `spire-agent.sock` is bound in. | ||
|
|
There was a problem hiding this comment.
Maybe some comment about the spire-agent with the parameters "api watch" makes it function as a normal workload and not as the spire-agent itself. Otherwise we might confuse the user into thinking they need their own spire-agent in each workload?
faisal-memon
reviewed
Sep 6, 2023
faisal-memon
reviewed
Sep 6, 2023
marcofranssen
changed the title
Co-authored-by: kfox1111 <Kevin.Fox@pnnl.gov> Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com>
Co-authored-by: Faisal Memon <fymemon@yahoo.com> Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Had issues w/ current readme in spiffe.io, changed the quick-start guide to deploy spiffe/spire.