From b8adcc59f8069c78da34801507513412818983fb Mon Sep 17 00:00:00 2001 From: cccsss01 <56396984+cccsss01@users.noreply.github.com> Date: Thu, 27 Jul 2023 08:53:19 -0500 Subject: [PATCH 1/5] Create values.yaml Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com> --- examples/quick-start/values.yaml | 54 ++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 examples/quick-start/values.yaml diff --git a/examples/quick-start/values.yaml b/examples/quick-start/values.yaml new file mode 100644 index 000000000..0184a35b1 --- /dev/null +++ b/examples/quick-start/values.yaml @@ -0,0 +1,54 @@ +# You can enable config/features that affect all services here. +global: + k8s: + # -- This is the value of your clusters `kubeadm init --service-dns-domain` flag + clusterDomain: cluster.local + spire: + # -- The name of the Kubernetes cluster (`kubeadm init --service-dns-domain`) + clusterName: demo-cluster + # -- The trust domain to be used for the SPIFFE identifiers + trustDomain: example.org + # -- Set the jwt issuer + jwtIssuer: oidc-discovery.example.org + # -- Override all instances of bundleConfigMap + bundleConfigMap: "" + + image: + # -- Override all Spire image registries at once + registry: "" + +# telemetry: +# prometheus: +# enabled: true +# podMonitor: +# enabled: true +# # -- Allows to install the PodMonitor in another namespace then the spire components are installed into. +# namespace: "kube-prometheus-system" +# labels: {} + +# subcharts +spire-server: + # -- Enables deployment of SPIRE Server + enabled: true + nameOverride: server + + controllerManager: + # -- Enables deployment of Controller Manager + enabled: true + +spire-agent: + # -- Enables deployment of SPIRE Agent(s) + enabled: true + nameOverride: agent + +spiffe-csi-driver: + # -- Enables deployment of CSI driver + enabled: true + +spiffe-oidc-discovery-provider: + # -- Enables deployment of OIDC discovery provider + enabled: false + +tornjak-frontend: + # -- Enables deployment of Tornjak frontend/UI (Not for production) + enabled: false From c8d9a212c3aeec15da0b7f5130d12e70cab712fe Mon Sep 17 00:00:00 2001 From: cccsss01 <56396984+cccsss01@users.noreply.github.com> Date: Thu, 27 Jul 2023 08:55:40 -0500 Subject: [PATCH 2/5] Create client-deployment.yaml Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com> --- examples/quick-start/client-deployment.yaml | 32 +++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 examples/quick-start/client-deployment.yaml diff --git a/examples/quick-start/client-deployment.yaml b/examples/quick-start/client-deployment.yaml new file mode 100644 index 000000000..bc107a50e --- /dev/null +++ b/examples/quick-start/client-deployment.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: client + labels: + app: client +spec: + selector: + matchLabels: + app: client + template: + metadata: + labels: + app: client + spec: + hostPID: true + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: client + image: ghcr.io/spiffe/spire-agent:1.7.0 + command: ["/opt/spire/bin/spire-agent"] + args: [ "api", "watch", "-socketPath", "/run/spire/agent-sockets/spire-agent.sock" ] + volumeMounts: + - name: spire-agent-socket + mountPath: /run/spire/agent-sockets + readOnly: true + volumes: + - name: spire-agent-socket + hostPath: + path: /run/spire/agent-sockets + type: Directory From d323d551605dba4ea9854acc704796e85c0054a0 Mon Sep 17 00:00:00 2001 From: cccsss01 <56396984+cccsss01@users.noreply.github.com> Date: Thu, 27 Jul 2023 09:09:52 -0500 Subject: [PATCH 3/5] Create README.md Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com> --- examples/quick-start/README.md | 66 ++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 examples/quick-start/README.md diff --git a/examples/quick-start/README.md b/examples/quick-start/README.md new file mode 100644 index 000000000..7fa89689c --- /dev/null +++ b/examples/quick-start/README.md @@ -0,0 +1,66 @@ +In this introduction to SPIRE on Kubernetes you will learn how to: + +* Deploy SPIRE and SPIFFE with helm +* Configure a registration entry for a workload +* Fetch an x509-SVID over the SPIFFE Workload API +* Learn where to find resources for more complex installations + +The steps in this guide have been tested on these +Kubernetes versions: 1.26 +Helm Chart version: 0.10.1 +App Version: 1.7.0 + +{{< info >}} +If you are using Minikube to run this tutorial you should specify some special flags as described [here](#considerations-when-using-minikube). + +# Obtain the Required Files + +This guide requires a number of **.yaml** files. To obtain this directory of files clone **https://github.com/spiffe/spire-tutorials** and obtain the **.yaml** files from the **spire-tutorials/k8s/quickstart-helm** subdirectory. Remember to run all kubectl commands in the directory in which those files reside. + +Set up a Kubernetes environment on a provider of your choice or use Minikube. Link the Kubernetes environment to the kubectl command. + +# Install with Helm + ```bash + $ helm repo add spiffe https://spiffe.github.io/helm-charts/ + $ helm update + $ helm -n spire install spire spiffe/spire -f values.yaml --create-namespace + ``` +# Verify +## Verify Namespace + Run the following command and verify that *spire* is listed in the output: + + ```bash + $ kubectl get namespaces + ``` + ## Verify Statefulset + This creates a statefulset called **spire-server** in the **spire** namespace and starts up a **spire-server** pod, as demonstrated in the output of the following commands: + +```bash +$ kubectl get statefulset --namespace spire +@@ -107,26 +72,8 @@ $ kubectl get services --namespace spire +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +spire-server NodePort 10.107.205.29 8081:30337/TCP 88m + +## Verify Agent + This creates a daemonset called **spire-agent** in the **spire** namespace and starts up a **spire-agent** pod along side **spire-server**, as demonstrated in the output of the following commands: + +```bash +$ kubectl get daemonset --namespace spire + +As a daemonset, you'll see as many **spire-agent** pods as you have nodes. + +# Register Workloads + +In order to enable SPIRE to perform workload attestation -- which allows the agent to identify the workload to attest to its agent -- you must register the workload in the server. This tells SPIRE how to identify the workload and which SPIFFE ID to give it. + +1. Create a new registration entry for the node, specifying the SPIFFE ID to allocate to the node: +> **Note** change -selector k8s_sat:cluster:demo-cluster to your cluster name + + ```shell + $ kubectl exec -n spire spire-server-0 -- \ + +In this section, you configure a workload container to access SPIRE. Specifically, you are configuring the workload container to access the Workload API UNIX domain socket. + +The **client-deployment.yaml** file configures a no-op container using the **spire-k8s** docker image used for the server and agent. Examine the `volumeMounts` and `volumes configuration` stanzas to see how the UNIX domain `spire-agent.sock` is bound in. + +You can test that the agent socket is accessible from an application container by issuing the following commands: From e2c323a032da089ee6676c2b2e779e00c8d86770 Mon Sep 17 00:00:00 2001 From: cccsss01 <56396984+cccsss01@users.noreply.github.com> Date: Tue, 26 Sep 2023 09:32:15 -0500 Subject: [PATCH 4/5] Update examples/quick-start/README.md Co-authored-by: kfox1111 Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com> --- examples/quick-start/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/quick-start/README.md b/examples/quick-start/README.md index 7fa89689c..c98e8ee8f 100644 --- a/examples/quick-start/README.md +++ b/examples/quick-start/README.md @@ -1,6 +1,6 @@ In this introduction to SPIRE on Kubernetes you will learn how to: -* Deploy SPIRE and SPIFFE with helm +* Deploy SPIRE and SPIFFE with helm in a non production ready configuration suitable for testing purposes. * Configure a registration entry for a workload * Fetch an x509-SVID over the SPIFFE Workload API * Learn where to find resources for more complex installations From 3ebf24f07f9e483b178633b0c58a098f543f0a3e Mon Sep 17 00:00:00 2001 From: cccsss01 <56396984+cccsss01@users.noreply.github.com> Date: Tue, 26 Sep 2023 09:32:25 -0500 Subject: [PATCH 5/5] Update examples/quick-start/README.md Co-authored-by: Faisal Memon Signed-off-by: cccsss01 <56396984+cccsss01@users.noreply.github.com> --- examples/quick-start/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/quick-start/README.md b/examples/quick-start/README.md index c98e8ee8f..25445307d 100644 --- a/examples/quick-start/README.md +++ b/examples/quick-start/README.md @@ -5,10 +5,10 @@ In this introduction to SPIRE on Kubernetes you will learn how to: * Fetch an x509-SVID over the SPIFFE Workload API * Learn where to find resources for more complex installations -The steps in this guide have been tested on these -Kubernetes versions: 1.26 -Helm Chart version: 0.10.1 -App Version: 1.7.0 +The steps in this guide have been tested on these versions: +- Kubernetes: 1.26 +- Helm Chart: 0.10.1 +- App: 1.7.0 {{< info >}} If you are using Minikube to run this tutorial you should specify some special flags as described [here](#considerations-when-using-minikube).