Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new quickstart structure #138

Merged
merged 24 commits into from
Mar 16, 2023
Merged
Show file tree
Hide file tree
Changes from 9 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
346 changes: 165 additions & 181 deletions docs/tornjak-quickstart.md → docs/quickstart/README.md

Large diffs are not rendered by default.

5 changes: 5 additions & 0 deletions docs/quickstart/agent-account.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-agent
namespace: spire
24 changes: 24 additions & 0 deletions docs/quickstart/agent-cluster-role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Required cluster role to allow spire-agent to query k8s API server
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-agent-cluster-role
rules:
- apiGroups: [""]
resources: ["pods","nodes","nodes/proxy"]
verbs: ["get"]

---
# Binds above cluster role to spire-agent service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-agent-cluster-role-binding
subjects:
- kind: ServiceAccount
name: spire-agent
namespace: spire
roleRef:
kind: ClusterRole
name: spire-agent-cluster-role
apiGroup: rbac.authorization.k8s.io
52 changes: 52 additions & 0 deletions docs/quickstart/agent-configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-agent
namespace: spire
data:
agent.conf: |
agent {
data_dir = "/run/spire"
log_level = "DEBUG"
server_address = "spire-server"
server_port = "8081"
socket_path = "/run/spire/sockets/agent.sock"
trust_bundle_path = "/run/spire/bundle/bundle.crt"
trust_domain = "example.org"
}
plugins {
NodeAttestor "k8s_sat" {
plugin_data {
# NOTE: Change this to your cluster name
cluster = "demo-cluster"
}
}
KeyManager "memory" {
plugin_data {
}
}
WorkloadAttestor "k8s" {
plugin_data {
# Defaults to the secure kubelet port by default.
# Minikube does not have a cert in the cluster CA bundle that
# can authenticate the kubelet cert, so skip validation.
skip_kubelet_verification = true
}
}
WorkloadAttestor "unix" {
plugin_data {
}
}
}
health_checks {
listener_enabled = true
bind_address = "0.0.0.0"
bind_port = "8080"
live_path = "/live"
ready_path = "/ready"
}
66 changes: 66 additions & 0 deletions docs/quickstart/agent-daemonset.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: spire-agent
namespace: spire
labels:
app: spire-agent
spec:
selector:
matchLabels:
app: spire-agent
template:
metadata:
namespace: spire
labels:
app: spire-agent
spec:
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: spire-agent
initContainers:
- name: init
# This is a small image with wait-for-it, choose whatever image
# you prefer that waits for a service to be up. This image is built
# from https://github.com/lqhl/wait-for-it
image: cgr.dev/chainguard/wait-for-it
args: ["-t", "30", "spire-server:8081"]
containers:
- name: spire-agent
image: ghcr.io/spiffe/spire-agent:1.5.1
args: ["-config", "/run/spire/config/agent.conf"]
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: spire-bundle
mountPath: /run/spire/bundle
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: false
livenessProbe:
httpGet:
path: /live
port: 8080
failureThreshold: 2
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 3
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: spire-config
configMap:
name: spire-agent
- name: spire-bundle
configMap:
name: spire-bundle
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate
32 changes: 32 additions & 0 deletions docs/quickstart/client-deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: client
labels:
app: client
spec:
selector:
matchLabels:
app: client
template:
metadata:
labels:
app: client
spec:
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: client
image: ghcr.io/spiffe/spire-agent:1.5.1
command: ["/opt/spire/bin/spire-agent"]
args: [ "api", "watch", "-socketPath", "/run/spire/sockets/agent.sock" ]
volumeMounts:
- name: spire-agent-socket
mountPath: /run/spire/sockets
readOnly: true
volumes:
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: Directory
16 changes: 16 additions & 0 deletions docs/quickstart/create-node-registration-entry.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
#/bin/bash

set -e

bb=$(tput bold)
nn=$(tput sgr0)


echo "${bb}Creating registration entry for the node...${nn}"
kubectl exec -n spire spire-server-0 -- \
/opt/spire/bin/spire-server entry create \
-node \
-spiffeID spiffe://example.org/ns/spire/sa/spire-agent \
-selector k8s_sat:cluster:demo-cluster \
-selector k8s_sat:agent_ns:spire \
-selector k8s_sat:agent_sa:spire-agent
18 changes: 18 additions & 0 deletions docs/quickstart/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

namespace: spire

resources:
- spire-namespace.yaml
- agent-account.yaml
- agent-cluster-role.yaml
- agent-configmap.yaml
- agent-daemonset.yaml
- server-account.yaml
- server-cluster-role.yaml
- server-configmap.yaml
- server-service.yaml
- server-statefulset.yaml
- spire-bundle-configmap.yaml

5 changes: 5 additions & 0 deletions docs/quickstart/server-account.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-server
namespace: spire
49 changes: 49 additions & 0 deletions docs/quickstart/server-cluster-role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# Role (namespace scoped) to be able to push certificate bundles to a configmap
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-configmap-role
namespace: spire
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["patch", "get", "list"]
---
# Binds above role to spire-server service account
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-configmap-role-binding
namespace: spire
subjects:
- kind: ServiceAccount
name: spire-server
namespace: spire
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: spire-server-configmap-role
---
# ClusterRole to allow spire-server node attestor to query Token Review API
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-trust-role
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
---
# Binds above cluster role to spire-server service account
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-trust-role-binding
subjects:
- kind: ServiceAccount
name: spire-server
namespace: spire
roleRef:
kind: ClusterRole
name: spire-server-trust-role
apiGroup: rbac.authorization.k8s.io
63 changes: 63 additions & 0 deletions docs/quickstart/server-configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-server
namespace: spire
data:
server.conf: |
server {
bind_address = "0.0.0.0"
bind_port = "8081"
socket_path = "/tmp/spire-server/private/api.sock"
trust_domain = "example.org"
data_dir = "/run/spire/data"
log_level = "DEBUG"
#AWS requires the use of RSA. EC cryptography is not supported
ca_key_type = "rsa-2048"
ca_subject = {
country = ["US"],
organization = ["SPIFFE"],
common_name = "",
}
}
plugins {
DataStore "sql" {
plugin_data {
database_type = "sqlite3"
connection_string = "/run/spire/data/datastore.sqlite3"
}
}
NodeAttestor "k8s_sat" {
plugin_data {
clusters = {
# NOTE: Change this to your cluster name
"demo-cluster" = {
use_token_review_api_validation = true
service_account_allow_list = ["spire:spire-agent"]
}
}
}
}
KeyManager "disk" {
plugin_data {
keys_path = "/run/spire/data/keys.json"
}
}
Notifier "k8sbundle" {
plugin_data {
}
}
}
health_checks {
listener_enabled = true
bind_address = "0.0.0.0"
bind_port = "8080"
live_path = "/live"
ready_path = "/ready"
}
14 changes: 14 additions & 0 deletions docs/quickstart/server-service.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: spire-server
namespace: spire
spec:
type: NodePort
ports:
- name: grpc
port: 8081
targetPort: 8081
protocol: TCP
selector:
app: spire-server
Loading