From 8429a6b3e803419b895e15a9378d1c065cf39927 Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Mon, 19 Aug 2024 20:04:35 -0400 Subject: [PATCH 01/23] This is wildly out of date Signed-off-by: Benjamin Leggett --- .../en/docs/ops/integrations/spire/index.md | 449 +++++------------- 1 file changed, 124 insertions(+), 325 deletions(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index 15b277117f7ab..8d20a81c544b3 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -27,180 +27,145 @@ The integration is compatible with Istio upgrades. ## Install SPIRE -### Option 1: Quick start +Istio recommends you follow SPIRE's installation instructions and general recommendations for installing SPIRE. -Istio provides a basic sample installation to quickly get SPIRE up and running: +For this guide, the [SPIRE Helm charts](https://artifacthub.io/packages/helm/spiffe/spire) will be used as a simple way to install SPIRE dependencies for Istio and illustrate the configuration necessary to integrate SPIRE and Istio. -{{< text syntax=bash snip_id=install_spire_with_controller_manager >}} -$ kubectl apply -f @samples/security/spire/spire-quickstart.yaml@ +{{< text syntax=bash snip_id=install_spire_crds >}} +$ helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace {{< /text >}} -This will deploy SPIRE into your cluster, along with two additional components: the [SPIFFE CSI Driver](https://github.com/spiffe/spiffe-csi) — used to share the SPIRE Agent's UNIX Domain Socket with the other -pods throughout the node — and the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager), a facilitator that performs workload registration and establishes federation relationships -within Kubernetes. See [Install Istio](#install-istio) to configure Istio and integrate with the SPIFFE CSI Driver. +{{< text syntax-bash snip_id=install_spire_istio_overrides >}} +$ helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ --wait -f - <}} -### Option 2: Configure a custom SPIRE installation +{{< tip >}} + See the [SPIRE Helm chart](https://artifacthub.io/packages/helm/spiffe/spire) documentation for other values you can configure for your installation - this doc only mentions the minimal subset required to achieve Istio integration. +{{< /tip >}} -See the [SPIRE's Quick start for Kubernetes guide](https://spiffe.io/docs/latest/try/getting-started-k8s/) -to get started deploying SPIRE into your Kubernetes environment. See [SPIRE CA Integration Prerequisites](#spire-ca-integration-prerequisites) -for more information on configuring SPIRE to integrate with Istio deployments. -#### SPIRE CA Integration Prerequisites +This will also install -To integrate your SPIRE deployment with Istio, configure SPIRE: +- The [SPIFFE CSI driver](https://github.com/spiffe/spiffe-csi) which is used to mount an Envoy-compatible SDS socket into proxies. Using the SPIFFE CSI driver to mount SDS sockets is strongly recommended by both Istio and SPIRE, as `hostMounts` are a larger security risk and introduce operational hurdles. -1. Access the [SPIRE Agent reference](https://spiffe.io/docs/latest/deploying/spire_agent/#agent-configuration-file) and - configure the SPIRE Agent socket path to match the Envoy SDS defined socket path. +- The [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager), which eases the creation of SPIFFE registrations for workloads. - {{< text plain >}} - socket_path = "/run/secrets/workload-spiffe-uds/socket" - {{< /text >}} +## Register workloads -1. Share the SPIRE Agent socket with the pods within the node by deploying the - [SPIFFE CSI Driver](https://github.com/spiffe/spiffe-csi). - The `-workload-api-socket-dir` argument to the driver should be the mount location of the socket's directory. +SPIRE by-design only grants identities to workloads that have been registered with the SPIRE server. -See [Install Istio](#install-istio) to configure Istio to integrate with the SPIFFE CSI Driver. +This includes your user workloads, as well as Istio's own workloads - Istio sidecars and gateways, once configured for SPIRE integration, cannot get identities, and therefore cannot reach READY status, unless there is a preexisting, matching SPIRE registration created for them ahead of time. -{{< tip >}} -Istio will become the Envoy SDS listener if the socket is not created by SPIRE before the Istio agent starts up. This timing is controlled by customizing the IstioOperator. -{{< /tip >}} +See the [SPIRE help on Registering workloads](https://spiffe.io/docs/latest/deploying/registering/) for more information on using multiple selectors to strengthen attestation criteria, and the selectors available. -## Install Istio +This section describes the options available for registering Istio workloads in a SPIRE Server and provides some example workload registrations. -### Option 1: Configuration for Workload Registration with the SPIRE Controller Manager +{{< warning >}} +Istio currently requires a specific SPIFFE ID format for workloads. All registrations must follow the Istio SPIFFE ID pattern: `spiffe:///ns//sa/` +{{< /warning >}} -By deploying [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager) -along with a SPIRE Server, new entries can be automatically registered for each new pod that matches the selector defined in a [ClusterSPIFFEID](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) custom resource. -A ClusterSPIFFEID must be applied prior to installing Istio in order for the Ingress-gateway to obtain its certificates. Additionally, the Ingress-gateway pod must be configured to match the selector defined in the ClusterSPIFFEID. If a registration entry for the Ingress Gateway workload was not automatically created during install, the workload would not reach a `Ready` state and installation would fail. +### Option 1: Auto-registration using the SPIRE Controller Manager -1. Create example ClusterSPIFFEID: +New entries will be automatically registered for each new pod that matches the selector defined in a [ClusterSPIFFEID](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) custom resource. - {{< text syntax=bash snip_id=create_clusterspiffeid >}} - $ kubectl apply -f - <}} +Both Istio sidecars and Istio gateways need to be registered with SPIRE, so that they can request identities. - The example ClusterSPIFFEID enables automatic workload registration for all workloads with the `spiffe.io/spire-managed-identity: "true"` label. For pods with this label, the values specified in the `spiffeIDTemplate` will be extracted to form the SPIFFE ID. +#### Istio Gateway ClusterSPIFFEID -1. [Download the Istio release](/docs/setup/additional-setup/download-istio-release/). +The following will create a ClusterSPIFFEID which will auto-register any Istio Ingress gateway pod with SPIRE if it is scheduled into the `istio-system` namespace, and has a service account named `istio-ingressgateway-service-account`. These selectors are used as a simple example, consult the [SPIRE Controller Manager documentation](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) for more details. -1. Create the Istio configuration with custom patches for the Ingress-gateway and istio-proxy. The Ingress Gateway component includes the `spiffe.io/spire-managed-identity: "true"` label. +{{< text syntax-bash snip_id=spire_csid_istio_gateway >}} +kubectl apply -f - <}} - {{< text syntax=bash snip_id=define_istio_operator_for_auto_registration >}} - $ cat < ./istio.yaml - apiVersion: install.istio.io/v1alpha1 - kind: IstioOperator - metadata: - namespace: istio-system - spec: - profile: default - meshConfig: - trustDomain: example.org - values: - global: - # This is used to customize the sidecar template - sidecarInjectorWebhook: - templates: - spire: | - spec: - containers: - - name: istio-proxy - volumeMounts: - - name: workload-socket - mountPath: /run/secrets/workload-spiffe-uds - readOnly: true - volumes: - - name: workload-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - components: - ingressGateways: - - name: istio-ingressgateway - enabled: true - label: - istio: ingressgateway - spiffe.io/spire-managed-identity: "true" - k8s: - overlays: - - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway - patches: - - path: spec.template.spec.volumes.[name:workload-socket] - value: - name: workload-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - - path: spec.template.spec.containers.[name:istio-proxy].volumeMounts.[name:workload-socket] - value: - name: workload-socket - mountPath: "/run/secrets/workload-spiffe-uds" - readOnly: true - - path: spec.template.spec.initContainers - value: - - name: wait-for-spire-socket - image: busybox:1.28 - volumeMounts: - - name: workload-socket - mountPath: /run/secrets/workload-spiffe-uds - readOnly: true - env: - - name: CHECK_FILE - value: /run/secrets/workload-spiffe-uds/socket - command: - - sh - - "-c" - - |- - echo "$(date -Iseconds)" Waiting for: ${CHECK_FILE} - while [[ ! -e ${CHECK_FILE} ]] ; do - echo "$(date -Iseconds)" File does not exist: ${CHECK_FILE} - sleep 15 - done - ls -l ${CHECK_FILE} - EOF - {{< /text >}} +#### Istio Sidecar ClusterSPIFFEID + +The following will create a ClusterSPIFFEID which will auto-register any pod with the `spiffe.io/spire-managed-identity: true` label that is deployed into the `default` namespace with SPIRE. These selectors are used as a simple example, consult the [SPIRE Controller Manager documentation](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) for more details. + +{{< text syntax-bash snip_id=spire_csid_istio_gateway >}} +kubectl apply -f - <}} -1. Apply the configuration: +### Option 2: Manual Registration - {{< text syntax=bash snip_id=apply_istio_operator_configuration >}} - $ istioctl install --skip-confirmation -f ./istio.yaml +Skip these steps if you installed `SPIRE` by following the [quick start](#option-1-quick-start) since it uses automatic registration. + +If you wish to manually create your SPIRE registrations, rather than use the SPIRE Controller Manager mentioned in [the recommended Option 1](#option-1-auto-registration-using-the-spire-controller-manager), refer to the [SPIRE documentation on manual registration](https://spiffe.io/docs/latest/deploying/registering/). + +Below are the equivalent manual registrations based off the automatic registrations in [Option 1](#option-1-auto-registration-using-the-spire-controller-manager): + +The following steps assume you have [already followed the SPIRE documentation to manually register your SPIRE agent and node attestation](https://spiffe.io/docs/latest/deploying/registering/#1-defining-the-spiffe-id-of-the-agent) and that your SPIRE agent was registered with the SPIFFE identity `spiffe://example.org/ns/spire/sa/spire-agent`. + +1. Get the spire-server pod: + + {{< text syntax=bash snip_id=set_spire_server_pod_name_var >}} + $ SPIRE_SERVER_POD=$(kubectl get pod -l app=spire-server -n spire -o jsonpath="{.items[0].metadata.name}") {{< /text >}} -1. Check Ingress-gateway pod state: +1. Register an entry for the Istio Ingress gateway pod: - {{< text syntax=bash snip_id=none >}} - $ kubectl get pods -n istio-system - NAME READY STATUS RESTARTS AGE - istio-ingressgateway-5b45864fd4-lgrxs 1/1 Running 0 17s - istiod-989f54d9c-sg7sn 1/1 Running 0 23s + {{< text bash >}} + $ kubectl exec -n spire "$SPIRE_SERVER_POD" -- \ + /opt/spire/bin/spire-server entry create \ + -spiffeID spiffe://example.org/ns/istio-system/sa/istio-ingressgateway-service-account \ + -parentID spiffe://example.org/ns/spire/sa/spire-agent \ + -selector k8s:sa:istio-ingressgateway-service-account \ + -selector k8s:ns:istio-system \ + -socketPath /run/spire/sockets/server.sock + + Entry ID : 6f2fe370-5261-4361-ac36-10aae8d91ff7 + SPIFFE ID : spiffe://example.org/ns/istio-system/sa/istio-ingressgateway-service-account + Parent ID : spiffe://example.org/ns/spire/sa/spire-agent + Revision : 0 + TTL : default + Selector : k8s:ns:istio-system + Selector : k8s:sa:istio-ingressgateway-service-account {{< /text >}} - The Ingress-gateway pod is `Ready` since the corresponding registration entry is automatically created for it on the SPIRE Server. Envoy is able to fetch cryptographic identities from SPIRE. +1. Register an entry for workloads injected with an Istio sidecar: -Note that `SPIRE Controller Manager` is used in the [quick start](#option-1-quick-start) section. + {{< text bash >}} + $ kubectl exec -n spire "$SPIRE_SERVER_POD" -- \ + /opt/spire/bin/spire-server entry create \ + -spiffeID spiffe://example.org/ns/default/sa/sleep \ + -parentID spiffe://example.org/ns/spire/sa/spire-agent \ + -selector k8s:ns:default \ + -selector k8s:pod-label:spiffe.io/spire-managed-identity:true \ + -socketPath /run/spire/sockets/server.sock + {{< /text >}} -### Option 2: Configuration for Manual Workload Registration with SPIRE +## Install Istio 1. [Download the Istio release](/docs/setup/additional-setup/download-istio-release/). -1. After [deploying SPIRE](#install-spire) into your environment, and verifying that all deployments are in `Ready` state, configure Istio with custom patches for the Ingress-gateway as well as for istio-proxy. - - Create Istio configuration: +1. Create the Istio configuration with custom patches for the Ingress-gateway and istio-proxy. The Ingress Gateway component includes the `spiffe.io/spire-managed-identity: "true"` label. - {{< text syntax=bash snip_id=define_istio_operator_for_manual_registration >}} + {{< text syntax=bash snip_id=define_istio_operator_for_auto_registration >}} $ cat < ./istio.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator @@ -212,10 +177,14 @@ Note that `SPIRE Controller Manager` is used in the [quick start](#option-1-quic trustDomain: example.org values: global: - # This is used to customize the sidecar template + # This is used to customize the sidecar template. + # It adds both the label to indicate that SPIRE should manage the + # identity of this pod, as well as the CSI driver mounts. sidecarInjectorWebhook: templates: spire: | + labels: + spiffe.io/spire-managed-identity: "true" spec: containers: - name: istio-proxy @@ -236,6 +205,9 @@ Note that `SPIRE Controller Manager` is used in the [quick start](#option-1-quic istio: ingressgateway k8s: overlays: + # This is used to customize the ingress gateway template. + # It adds the CSI driver mounts, as well as an init container + # to stall gateway startup until the CSI driver mounts the socket. - apiVersion: apps/v1 kind: Deployment name: istio-ingressgateway @@ -254,7 +226,7 @@ Note that `SPIRE Controller Manager` is used in the [quick start](#option-1-quic - path: spec.template.spec.initContainers value: - name: wait-for-spire-socket - image: busybox:1.28 + image: busybox:1.36 volumeMounts: - name: workload-socket mountPath: /run/secrets/workload-spiffe-uds @@ -277,7 +249,7 @@ Note that `SPIRE Controller Manager` is used in the [quick start](#option-1-quic 1. Apply the configuration: - {{< text syntax=bash snip_id=none >}} + {{< text syntax=bash snip_id=apply_istio_operator_configuration >}} $ istioctl install --skip-confirmation -f ./istio.yaml {{< /text >}} @@ -286,26 +258,13 @@ Note that `SPIRE Controller Manager` is used in the [quick start](#option-1-quic {{< text syntax=bash snip_id=none >}} $ kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE - istio-ingressgateway-5b45864fd4-lgrxs 0/1 Running 0 20s - istiod-989f54d9c-sg7sn 1/1 Running 0 25s + istio-ingressgateway-5b45864fd4-lgrxs 1/1 Running 0 17s + istiod-989f54d9c-sg7sn 1/1 Running 0 23s {{< /text >}} - The Ingress-gateway pod and data plane containers will only reach `Ready` if a corresponding registration entry is created for them on the SPIRE Server. Then, - Envoy will be able to fetch cryptographic identities from SPIRE. - See [Register workloads](#register-workloads) to register entries for services in your mesh. - -The Istio configuration shares the `spiffe-csi-driver` with the Ingress Gateway and the sidecars that are going to be injected on workload pods, -granting them access to the SPIRE Agent's UNIX Domain Socket. - -This configuration also adds an initContainer to the gateway that will wait for SPIRE to create the UNIX Domain Socket before starting the istio-proxy. If the SPIRE agent is not ready or has not been properly configured with the same socket path, the Ingress Gateway initContainer will wait forever. - -## Register workloads - -This section describes the options available for registering workloads in a SPIRE Server. - -### Option 1: Registration using the SPIRE Controller Manager + The Ingress-gateway pod is `Ready` since the corresponding registration entry is automatically created for it on the SPIRE Server. Envoy is able to fetch cryptographic identities from SPIRE. -New entries will be automatically registered for each new pod that matches the selector defined in a [ClusterSPIFFEID](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) custom resource. See [Configuration for Workload Registration with the SPIRE Controller Manager](#option-1:-configuration-for-workload-registration-with-the-spire-controller-manager) for the example ClusterSPIFFEID configuration. + This configuration also adds an initContainer to the gateway that will wait for SPIRE to create the UNIX Domain Socket before starting the istio-proxy. If the SPIRE agent is not ready or has not been properly configured with the same socket path, the Ingress Gateway initContainer will wait forever. 1. Deploy an example workload: @@ -358,152 +317,11 @@ New entries will be automatically registered for each new pod that matches the s readOnly: true {{< /text >}} +The Istio configuration shares the `spiffe-csi-driver` with the Ingress Gateway and the sidecars that are going to be injected on workload pods, granting them access to the SPIRE Agent's UNIX Domain Socket. + See [Verifying that identities were created for workloads](#verifying-that-identities-were-created-for-workloads) to check issued identities. -Note that `SPIRE Controller Manager` is used in the [quick start](#option-1-quick-start) section. - -### Option 2: Manual Registration - -To improve workload attestation security robustness, SPIRE is able to verify against a group of selector values based on different parameters. Skip these steps if you installed `SPIRE` by following the [quick start](#option-1-quick-start) since it uses automatic registration. - -1. Generate an entry for an Ingress Gateway with a set of selectors such as the - pod name and pod UID: - - {{< text bash >}} - $ INGRESS_POD=$(kubectl get pod -l istio=ingressgateway -n istio-system -o jsonpath="{.items[0].metadata.name}") - $ INGRESS_POD_UID=$(kubectl get pods -n istio-system "$INGRESS_POD" -o jsonpath='{.metadata.uid}') - {{< /text >}} - -1. Get the spire-server pod: - - {{< text syntax=bash snip_id=set_spire_server_pod_name_var >}} - $ SPIRE_SERVER_POD=$(kubectl get pod -l app=spire-server -n spire -o jsonpath="{.items[0].metadata.name}") - {{< /text >}} - -1. Register an entry for the SPIRE Agent running on the node: - - {{< text bash >}} - $ kubectl exec -n spire "$SPIRE_SERVER_POD" -- \ - /opt/spire/bin/spire-server entry create \ - -spiffeID spiffe://example.org/ns/spire/sa/spire-agent \ - -selector k8s_psat:cluster:demo-cluster \ - -selector k8s_psat:agent_ns:spire \ - -selector k8s_psat:agent_sa:spire-agent \ - -node -socketPath /run/spire/sockets/server.sock - - Entry ID : d38c88d0-7d7a-4957-933c-361a0a3b039c - SPIFFE ID : spiffe://example.org/ns/spire/sa/spire-agent - Parent ID : spiffe://example.org/spire/server - Revision : 0 - TTL : default - Selector : k8s_psat:agent_ns:spire - Selector : k8s_psat:agent_sa:spire-agent - Selector : k8s_psat:cluster:demo-cluster - {{< /text >}} - -1. Register an entry for the Ingress-gateway pod: - - {{< text bash >}} - $ kubectl exec -n spire "$SPIRE_SERVER_POD" -- \ - /opt/spire/bin/spire-server entry create \ - -spiffeID spiffe://example.org/ns/istio-system/sa/istio-ingressgateway-service-account \ - -parentID spiffe://example.org/ns/spire/sa/spire-agent \ - -selector k8s:sa:istio-ingressgateway-service-account \ - -selector k8s:ns:istio-system \ - -selector k8s:pod-uid:"$INGRESS_POD_UID" \ - -dns "$INGRESS_POD" \ - -dns istio-ingressgateway.istio-system.svc \ - -socketPath /run/spire/sockets/server.sock - - Entry ID : 6f2fe370-5261-4361-ac36-10aae8d91ff7 - SPIFFE ID : spiffe://example.org/ns/istio-system/sa/istio-ingressgateway-service-account - Parent ID : spiffe://example.org/ns/spire/sa/spire-agent - Revision : 0 - TTL : default - Selector : k8s:ns:istio-system - Selector : k8s:pod-uid:63c2bbf5-a8b1-4b1f-ad64-f62ad2a69807 - Selector : k8s:sa:istio-ingressgateway-service-account - DNS name : istio-ingressgateway.istio-system.svc - DNS name : istio-ingressgateway-5b45864fd4-lgrxs - {{< /text >}} - -1. Deploy an example workload: - - {{< text bash >}} - $ istioctl kube-inject --filename @samples/security/spire/sleep-spire.yaml@ | kubectl apply -f - - {{< /text >}} - - Note that the workload will need the SPIFFE CSI Driver volume to access the SPIRE Agent socket. To accomplish this, - you can leverage the `spire` pod annotation template from the [Install Istio](#install-istio) section or add the CSI volume to - the deployment spec of your workload. Both of these alternatives are highlighted on the example snippet below: - - {{< text syntax=yaml snip_id=none >}} - apiVersion: apps/v1 - kind: Deployment - metadata: - name: sleep - spec: - replicas: 1 - selector: - matchLabels: - app: sleep - template: - metadata: - labels: - app: sleep - # Injects custom sidecar template - annotations: - inject.istio.io/templates: "sidecar,spire" - spec: - terminationGracePeriodSeconds: 0 - serviceAccountName: sleep - containers: - - name: sleep - image: curlimages/curl - command: ["/bin/sleep", "3650d"] - imagePullPolicy: IfNotPresent - volumeMounts: - - name: tmp - mountPath: /tmp - securityContext: - runAsUser: 1000 - volumes: - - name: tmp - emptyDir: {} - # CSI volume - - name: workload-socket - csi: - driver: "csi.spiffe.io" - readOnly: true - {{< /text >}} - -1. Get pod information: - - {{< text syntax=bash snip_id=set_sleep_pod_vars >}} - $ SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}") - $ SLEEP_POD_UID=$(kubectl get pods "$SLEEP_POD" -o jsonpath='{.metadata.uid}') - {{< /text >}} - -1. Register the workload: - - {{< text bash >}} - $ kubectl exec -n spire "$SPIRE_SERVER_POD" -- \ - /opt/spire/bin/spire-server entry create \ - -spiffeID spiffe://example.org/ns/default/sa/sleep \ - -parentID spiffe://example.org/ns/spire/sa/spire-agent \ - -selector k8s:ns:default \ - -selector k8s:pod-uid:"$SLEEP_POD_UID" \ - -dns "$SLEEP_POD" \ - -socketPath /run/spire/sockets/server.sock - {{< /text >}} - -{{< warning >}} -SPIFFE IDs for workloads must follow the Istio SPIFFE ID pattern: `spiffe:///ns//sa/` -{{< /warning >}} - -See the [SPIRE help on Registering workloads](https://spiffe.io/docs/latest/deploying/registering/) to learn how to create new entries for workloads and get them attested using multiple selectors to strengthen attestation criteria. - ## Verifying that identities were created for workloads Use the following command to confirm that identities were created for the workloads: @@ -593,29 +411,10 @@ This will allow Envoy to get federated bundles directly from SPIRE. ## Cleanup SPIRE -If you installed SPIRE using the quick start SPIRE deployment provided by Istio, -use the following commands to remove those Kubernetes resources: +{{< text syntax-bash snip_id=uninstall_spire >}} +$ helm delete -n spire-server spire +{{< /text >}} -{{< text bash >}} -$ kubectl delete CustomResourceDefinition clusterspiffeids.spire.spiffe.io -$ kubectl delete CustomResourceDefinition clusterfederatedtrustdomains.spire.spiffe.io -$ kubectl delete -n spire configmap spire-bundle -$ kubectl delete -n spire serviceaccount spire-agent -$ kubectl delete -n spire configmap spire-agent -$ kubectl delete -n spire daemonset spire-agent -$ kubectl delete csidriver csi.spiffe.io -$ kubectl delete ValidatingWebhookConfiguration spire-controller-manager-webhook -$ kubectl delete -n spire configmap spire-controller-manager-config -$ kubectl delete -n spire configmap spire-server -$ kubectl delete -n spire service spire-controller-manager-webhook-service -$ kubectl delete -n spire service spire-server-bundle-endpoint -$ kubectl delete -n spire service spire-server -$ kubectl delete -n spire serviceaccount spire-server -$ kubectl delete -n spire deployment spire-server -$ kubectl delete clusterrole spire-server-cluster-role spire-agent-cluster-role manager-role -$ kubectl delete clusterrolebinding spire-server-cluster-role-binding spire-agent-cluster-role-binding manager-role-binding -$ kubectl delete -n spire role spire-server-role leader-election-role -$ kubectl delete -n spire rolebinding spire-server-role-binding leader-election-role-binding -$ kubectl delete namespace spire -$ rm istio.yaml chain.pem +{{< text syntax=bash snip_id=uninstall_spire_crds >}} +$ helm delete -n spire-server spire-crds {{< /text >}} From 60d7ae00d8e6c110d17dd865c7374a2c5722bbfc Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Mon, 19 Aug 2024 20:09:10 -0400 Subject: [PATCH 02/23] Fixup Signed-off-by: Benjamin Leggett --- content/en/docs/ops/integrations/spire/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index 8d20a81c544b3..43ce666dcaaf5 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -290,7 +290,6 @@ The following steps assume you have [already followed the SPIRE documentation to metadata: labels: app: sleep - spiffe.io/spire-managed-identity: "true" # Injects custom sidecar template annotations: inject.istio.io/templates: "sidecar,spire" From b0bab263b2ac0f1ddfc0b0657b6c14d3ff8ec04f Mon Sep 17 00:00:00 2001 From: Craig Box Date: Tue, 20 Aug 2024 14:07:04 +1200 Subject: [PATCH 03/23] Replace snippet syntax to make the site compile --- content/en/docs/ops/integrations/spire/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index 43ce666dcaaf5..d03e8ac6bd49d 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -35,7 +35,7 @@ For this guide, the [SPIRE Helm charts](https://artifacthub.io/packages/helm/spi $ helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace {{< /text >}} -{{< text syntax-bash snip_id=install_spire_istio_overrides >}} +{{< text syntax=bash snip_id=install_spire_istio_overrides >}} $ helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ --wait -f - <}} +{{< text syntax=bash snip_id=spire_csid_istio_gateway >}} kubectl apply -f - <}} +{{< text syntax=bash snip_id=spire_csid_istio_gateway >}} kubectl apply -f - <}} +{{< text syntax=bash snip_id=uninstall_spire >}} $ helm delete -n spire-server spire {{< /text >}} From 3a4ad2a7388b652bebe4262473c6ee36bc92ca50 Mon Sep 17 00:00:00 2001 From: Craig Box Date: Tue, 20 Aug 2024 14:10:06 +1200 Subject: [PATCH 04/23] more --- content/en/docs/ops/integrations/spire/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index d03e8ac6bd49d..cee2423b0bc4e 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -80,7 +80,7 @@ Both Istio sidecars and Istio gateways need to be registered with SPIRE, so that The following will create a ClusterSPIFFEID which will auto-register any Istio Ingress gateway pod with SPIRE if it is scheduled into the `istio-system` namespace, and has a service account named `istio-ingressgateway-service-account`. These selectors are used as a simple example, consult the [SPIRE Controller Manager documentation](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) for more details. {{< text syntax=bash snip_id=spire_csid_istio_gateway >}} -kubectl apply -f - <}} -kubectl apply -f - < Date: Tue, 20 Aug 2024 12:30:41 -0400 Subject: [PATCH 05/23] Update content/en/docs/ops/integrations/spire/index.md Co-authored-by: Craig Box --- content/en/docs/ops/integrations/spire/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index cee2423b0bc4e..eb5e6b09abd80 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -48,7 +48,7 @@ EOF {{< /tip >}} -This will also install +This will also install: - The [SPIFFE CSI driver](https://github.com/spiffe/spiffe-csi) which is used to mount an Envoy-compatible SDS socket into proxies. Using the SPIFFE CSI driver to mount SDS sockets is strongly recommended by both Istio and SPIRE, as `hostMounts` are a larger security risk and introduce operational hurdles. From c435266a98ef3402a2287ff0c3346340978679b0 Mon Sep 17 00:00:00 2001 From: Ben Leggett <854255+bleggett@users.noreply.github.com> Date: Tue, 20 Aug 2024 12:31:04 -0400 Subject: [PATCH 06/23] Update content/en/docs/ops/integrations/spire/index.md Co-authored-by: Craig Box --- content/en/docs/ops/integrations/spire/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index eb5e6b09abd80..7d5089df13738 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -50,7 +50,7 @@ EOF This will also install: -- The [SPIFFE CSI driver](https://github.com/spiffe/spiffe-csi) which is used to mount an Envoy-compatible SDS socket into proxies. Using the SPIFFE CSI driver to mount SDS sockets is strongly recommended by both Istio and SPIRE, as `hostMounts` are a larger security risk and introduce operational hurdles. +- The [SPIFFE CSI driver](https://github.com/spiffe/spiffe-csi), which is used to mount an Envoy-compatible SDS socket into proxies. Using the SPIFFE CSI driver to mount SDS sockets is strongly recommended by both Istio and SPIRE, as `hostMounts` are a larger security risk and introduce operational hurdles. - The [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager), which eases the creation of SPIFFE registrations for workloads. From 94cdb7f9c87f67d8e2d5831b8a30641a270207e9 Mon Sep 17 00:00:00 2001 From: Ben Leggett <854255+bleggett@users.noreply.github.com> Date: Tue, 20 Aug 2024 12:31:18 -0400 Subject: [PATCH 07/23] Update content/en/docs/ops/integrations/spire/index.md Co-authored-by: Craig Box --- content/en/docs/ops/integrations/spire/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index 7d5089df13738..dd4337fa77249 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -56,7 +56,7 @@ This will also install: ## Register workloads -SPIRE by-design only grants identities to workloads that have been registered with the SPIRE server. +By design, SPIRE only grants identities to workloads that have been registered with the SPIRE server. This includes your user workloads, as well as Istio's own workloads - Istio sidecars and gateways, once configured for SPIRE integration, cannot get identities, and therefore cannot reach READY status, unless there is a preexisting, matching SPIRE registration created for them ahead of time. From a2db480e5834326910fc69bc0981f22cb57a4571 Mon Sep 17 00:00:00 2001 From: Ben Leggett <854255+bleggett@users.noreply.github.com> Date: Tue, 20 Aug 2024 12:33:19 -0400 Subject: [PATCH 08/23] Update content/en/docs/ops/integrations/spire/index.md Co-authored-by: Craig Box --- content/en/docs/ops/integrations/spire/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index dd4337fa77249..0f39e5489ec03 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -44,7 +44,7 @@ EOF {{< /text >}} {{< tip >}} - See the [SPIRE Helm chart](https://artifacthub.io/packages/helm/spiffe/spire) documentation for other values you can configure for your installation - this doc only mentions the minimal subset required to achieve Istio integration. +This is the minimal subset of changes required to integrate with Istio. See the [SPIRE Helm chart](https://artifacthub.io/packages/helm/spiffe/spire) documentation for other values you can configure for your installation. {{< /tip >}} From 4d5d4ea0125c71ca6f93462fdf8029d03fac0559 Mon Sep 17 00:00:00 2001 From: Ben Leggett <854255+bleggett@users.noreply.github.com> Date: Tue, 20 Aug 2024 12:35:30 -0400 Subject: [PATCH 09/23] Update content/en/docs/ops/integrations/spire/index.md Co-authored-by: Craig Box --- content/en/docs/ops/integrations/spire/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index 0f39e5489ec03..58925cc833cae 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -77,7 +77,7 @@ Both Istio sidecars and Istio gateways need to be registered with SPIRE, so that #### Istio Gateway ClusterSPIFFEID -The following will create a ClusterSPIFFEID which will auto-register any Istio Ingress gateway pod with SPIRE if it is scheduled into the `istio-system` namespace, and has a service account named `istio-ingressgateway-service-account`. These selectors are used as a simple example, consult the [SPIRE Controller Manager documentation](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) for more details. +The following will create a `ClusterSPIFFEID` which will auto-register any Istio Ingress gateway pod with SPIRE if it is scheduled into the `istio-system` namespace, and has a service account named `istio-ingressgateway-service-account`. These selectors are used as a simple example; consult the [SPIRE Controller Manager documentation](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) for more details. {{< text syntax=bash snip_id=spire_csid_istio_gateway >}} $ kubectl apply -f - < Date: Tue, 20 Aug 2024 12:35:54 -0400 Subject: [PATCH 10/23] Update content/en/docs/ops/integrations/spire/index.md Co-authored-by: Craig Box --- content/en/docs/ops/integrations/spire/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index 58925cc833cae..46f0f80d584ac 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -95,7 +95,7 @@ EOF #### Istio Sidecar ClusterSPIFFEID -The following will create a ClusterSPIFFEID which will auto-register any pod with the `spiffe.io/spire-managed-identity: true` label that is deployed into the `default` namespace with SPIRE. These selectors are used as a simple example, consult the [SPIRE Controller Manager documentation](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) for more details. +The following will create a ClusterSPIFFEID which will auto-register any pod with the `spiffe.io/spire-managed-identity: true` label that is deployed into the `default` namespace with SPIRE. These selectors are used as a simple example; consult the [SPIRE Controller Manager documentation](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) for more details. {{< text syntax=bash snip_id=spire_csid_istio_gateway >}} $ kubectl apply -f - < Date: Tue, 20 Aug 2024 13:49:24 -0400 Subject: [PATCH 11/23] Review comments, lints, fixups Signed-off-by: Benjamin Leggett --- .../en/docs/ops/integrations/spire/index.md | 58 ++++++++----------- 1 file changed, 24 insertions(+), 34 deletions(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index 46f0f80d584ac..e83a7d9cb7856 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -19,17 +19,11 @@ SPIRE's node attestation extends attestation to the physical or virtual hardware For a quick demo of how this SPIRE integration with Istio works, see [Integrating SPIRE as a CA through Envoy's SDS API]({{< github_tree >}}/samples/security/spire). -{{< warning >}} -Note that this integration requires version 1.14+ for both `istioctl` and the data plane. -{{< /warning >}} - -The integration is compatible with Istio upgrades. - ## Install SPIRE -Istio recommends you follow SPIRE's installation instructions and general recommendations for installing SPIRE. +We recommend you follow SPIRE's installation instructions and best practices for installing SPIRE, and for deploying SPIRE in production environments. -For this guide, the [SPIRE Helm charts](https://artifacthub.io/packages/helm/spiffe/spire) will be used as a simple way to install SPIRE dependencies for Istio and illustrate the configuration necessary to integrate SPIRE and Istio. +For the examples in this guide, the [SPIRE Helm charts](https://artifacthub.io/packages/helm/spiffe/spire) will be used with upstream defaults, to focus on just the configuration necessary to integrate SPIRE and Istio. {{< text syntax=bash snip_id=install_spire_crds >}} $ helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace @@ -44,23 +38,22 @@ EOF {{< /text >}} {{< tip >}} -This is the minimal subset of changes required to integrate with Istio. See the [SPIRE Helm chart](https://artifacthub.io/packages/helm/spiffe/spire) documentation for other values you can configure for your installation. +See the [SPIRE Helm chart](https://artifacthub.io/packages/helm/spiffe/spire) documentation for other values you can configure for your installation. {{< /tip >}} +It is important that SPIRE and Istio are configured with the exact same trust domain, to prevent authentication and authorization errors. -This will also install: +By default, the above will also install: -- The [SPIFFE CSI driver](https://github.com/spiffe/spiffe-csi), which is used to mount an Envoy-compatible SDS socket into proxies. Using the SPIFFE CSI driver to mount SDS sockets is strongly recommended by both Istio and SPIRE, as `hostMounts` are a larger security risk and introduce operational hurdles. +- The [SPIFFE CSI driver](https://github.com/spiffe/spiffe-csi), which is used to mount an Envoy-compatible SDS socket into proxies. Using the SPIFFE CSI driver to mount SDS sockets is strongly recommended by both Istio and SPIRE, as `hostMounts` are a larger security risk and introduce operational hurdles. This guide assumes the use of the SPIFFE CSI driver. - The [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager), which eases the creation of SPIFFE registrations for workloads. ## Register workloads -By design, SPIRE only grants identities to workloads that have been registered with the SPIRE server. - -This includes your user workloads, as well as Istio's own workloads - Istio sidecars and gateways, once configured for SPIRE integration, cannot get identities, and therefore cannot reach READY status, unless there is a preexisting, matching SPIRE registration created for them ahead of time. +By design, SPIRE only grants identities to workloads that have been registered with the SPIRE server; this includes user workloads, as well as Istio components. Istio sidecars and gateways, once configured for SPIRE integration, cannot get identities, and therefore cannot reach READY status, unless there is a preexisting, matching SPIRE registration created for them ahead of time. -See the [SPIRE help on Registering workloads](https://spiffe.io/docs/latest/deploying/registering/) for more information on using multiple selectors to strengthen attestation criteria, and the selectors available. +See the [SPIRE docs on registering workloads](https://spiffe.io/docs/latest/deploying/registering/) for more information on using multiple selectors to strengthen attestation criteria, and the selectors available. This section describes the options available for registering Istio workloads in a SPIRE Server and provides some example workload registrations. @@ -68,16 +61,15 @@ This section describes the options available for registering Istio workloads in Istio currently requires a specific SPIFFE ID format for workloads. All registrations must follow the Istio SPIFFE ID pattern: `spiffe:///ns//sa/` {{< /warning >}} - ### Option 1: Auto-registration using the SPIRE Controller Manager -New entries will be automatically registered for each new pod that matches the selector defined in a [ClusterSPIFFEID](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) custom resource. +New entries will be automatically registered for each new pod that matches the selector defined in a [ClusterSPIFFEID](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) custom resource. Both Istio sidecars and Istio gateways need to be registered with SPIRE, so that they can request identities. -#### Istio Gateway ClusterSPIFFEID +#### Istio Gateway `ClusterSPIFFEID` -The following will create a `ClusterSPIFFEID` which will auto-register any Istio Ingress gateway pod with SPIRE if it is scheduled into the `istio-system` namespace, and has a service account named `istio-ingressgateway-service-account`. These selectors are used as a simple example; consult the [SPIRE Controller Manager documentation](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) for more details. +The following will create a `ClusterSPIFFEID`, which will auto-register any Istio Ingress gateway pod with SPIRE if it is scheduled into the `istio-system` namespace, and has a service account named `istio-ingressgateway-service-account`. These selectors are used as a simple example; consult the [SPIRE Controller Manager documentation](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) for more details. {{< text syntax=bash snip_id=spire_csid_istio_gateway >}} $ kubectl apply -f - <}} -#### Istio Sidecar ClusterSPIFFEID +#### Istio Sidecar `ClusterSPIFFEID` -The following will create a ClusterSPIFFEID which will auto-register any pod with the `spiffe.io/spire-managed-identity: true` label that is deployed into the `default` namespace with SPIRE. These selectors are used as a simple example; consult the [SPIRE Controller Manager documentation](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) for more details. +The following will create a `ClusterSPIFFEID` which will auto-register any pod with the `spiffe.io/spire-managed-identity: true` label that is deployed into the `default` namespace with SPIRE. These selectors are used as a simple example; consult the [SPIRE Controller Manager documentation](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) for more details. {{< text syntax=bash snip_id=spire_csid_istio_gateway >}} $ kubectl apply -f - <}} $ SPIRE_SERVER_POD=$(kubectl get pod -l app=spire-server -n spire -o jsonpath="{.items[0].metadata.name}") @@ -163,7 +151,7 @@ The following steps assume you have [already followed the SPIRE documentation to 1. [Download the Istio release](/docs/setup/additional-setup/download-istio-release/). -1. Create the Istio configuration with custom patches for the Ingress-gateway and istio-proxy. The Ingress Gateway component includes the `spiffe.io/spire-managed-identity: "true"` label. +1. Create the Istio configuration with custom patches for the Ingress Gateway and `istio-proxy`. The Ingress Gateway component includes the `spiffe.io/spire-managed-identity: "true"` label. {{< text syntax=bash snip_id=define_istio_operator_for_auto_registration >}} $ cat < ./istio.yaml @@ -253,7 +241,7 @@ The following steps assume you have [already followed the SPIRE documentation to $ istioctl install --skip-confirmation -f ./istio.yaml {{< /text >}} -1. Check Ingress-gateway pod state: +1. Check Ingress Gateway pod state: {{< text syntax=bash snip_id=none >}} $ kubectl get pods -n istio-system @@ -262,9 +250,9 @@ The following steps assume you have [already followed the SPIRE documentation to istiod-989f54d9c-sg7sn 1/1 Running 0 23s {{< /text >}} - The Ingress-gateway pod is `Ready` since the corresponding registration entry is automatically created for it on the SPIRE Server. Envoy is able to fetch cryptographic identities from SPIRE. + The Ingress Gateway pod is `Ready` since the corresponding registration entry is automatically created for it on the SPIRE Server. Envoy is able to fetch cryptographic identities from SPIRE. - This configuration also adds an initContainer to the gateway that will wait for SPIRE to create the UNIX Domain Socket before starting the istio-proxy. If the SPIRE agent is not ready or has not been properly configured with the same socket path, the Ingress Gateway initContainer will wait forever. + This configuration also adds an `initContainer` to the gateway that will wait for SPIRE to create the UNIX Domain Socket before starting the `istio-proxy`. If the SPIRE agent is not ready, or has not been properly configured with the same socket path, the Ingress Gateway `initContainer` will wait forever. 1. Deploy an example workload: @@ -391,7 +379,7 @@ This will allow Envoy to get federated bundles directly from SPIRE. ### Create federated registration entries -* If using the SPIRE Controller Manager, create federated entries for workloads by setting the `federatesWith` field of the [ClusterSPIFFEID CR](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) to the trust domains you want the pod to federate with: +- If using the SPIRE Controller Manager, create federated entries for workloads by setting the `federatesWith` field of the [ClusterSPIFFEID CR](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) to the trust domains you want the pod to federate with: {{< text syntax=yaml snip_id=none >}} apiVersion: spire.spiffe.io/v1alpha1 @@ -406,10 +394,12 @@ This will allow Envoy to get federated bundles directly from SPIRE. federatesWith: ["example.io", "example.ai"] {{< /text >}} -* For manual registration see [Create Registration Entries for Federation](https://spiffe.io/docs/latest/architecture/federation/readme/#create-registration-entries-for-federation). +- For manual registration see [Create Registration Entries for Federation](https://spiffe.io/docs/latest/architecture/federation/readme/#create-registration-entries-for-federation). ## Cleanup SPIRE +Remove SPIRE by uninstalling its Helm charts: + {{< text syntax=bash snip_id=uninstall_spire >}} $ helm delete -n spire-server spire {{< /text >}} From cab76f964eb7b7b3f2c9385637b77dcb750b96ef Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Tue, 20 Aug 2024 13:54:53 -0400 Subject: [PATCH 12/23] Genfix Signed-off-by: Benjamin Leggett --- .../en/docs/ops/integrations/spire/snips.sh | 260 +++++------------- 1 file changed, 75 insertions(+), 185 deletions(-) diff --git a/content/en/docs/ops/integrations/spire/snips.sh b/content/en/docs/ops/integrations/spire/snips.sh index 9f7afa5f86b3a..b5eb9e54a5c92 100644 --- a/content/en/docs/ops/integrations/spire/snips.sh +++ b/content/en/docs/ops/integrations/spire/snips.sh @@ -20,109 +20,82 @@ # docs/ops/integrations/spire/index.md #################################################################################################### -snip_install_spire_with_controller_manager() { -kubectl apply -f samples/security/spire/spire-quickstart.yaml +snip_install_spire_crds() { +helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spiffe.github.io/helm-charts-hardened/ --create-namespace } -! IFS=$'\n' read -r -d '' snip_spire_ca_integration_prerequisites_1 <<\ENDSNIP -socket_path = "/run/secrets/workload-spiffe-uds/socket" -ENDSNIP +snip_install_spire_istio_overrides() { +helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ --wait -f - < ./istio.yaml -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator +snip_spire_csid_istio_gateway() { +kubectl apply -f - < ./istio.yaml apiVersion: install.istio.io/v1alpha1 kind: IstioOperator @@ -134,10 +107,14 @@ spec: trustDomain: example.org values: global: - # This is used to customize the sidecar template + # This is used to customize the sidecar template. + # It adds both the label to indicate that SPIRE should manage the + # identity of this pod, as well as the CSI driver mounts. sidecarInjectorWebhook: templates: spire: | + labels: + spiffe.io/spire-managed-identity: "true" spec: containers: - name: istio-proxy @@ -158,6 +135,9 @@ spec: istio: ingressgateway k8s: overlays: + # This is used to customize the ingress gateway template. + # It adds the CSI driver mounts, as well as an init container + # to stall gateway startup until the CSI driver mounts the socket. - apiVersion: apps/v1 kind: Deployment name: istio-ingressgateway @@ -176,7 +156,7 @@ spec: - path: spec.template.spec.initContainers value: - name: wait-for-spire-socket - image: busybox:1.28 + image: busybox:1.36 volumeMounts: - name: workload-socket mountPath: /run/secrets/workload-spiffe-uds @@ -197,88 +177,14 @@ spec: EOF } -snip_apply_sleep() { -istioctl kube-inject --filename samples/security/spire/sleep-spire.yaml | kubectl apply -f - -} - -snip_option_2_manual_registration_1() { -INGRESS_POD=$(kubectl get pod -l istio=ingressgateway -n istio-system -o jsonpath="{.items[0].metadata.name}") -INGRESS_POD_UID=$(kubectl get pods -n istio-system "$INGRESS_POD" -o jsonpath='{.metadata.uid}') -} - -snip_set_spire_server_pod_name_var() { -SPIRE_SERVER_POD=$(kubectl get pod -l app=spire-server -n spire -o jsonpath="{.items[0].metadata.name}") -} - -snip_option_2_manual_registration_3() { -kubectl exec -n spire "$SPIRE_SERVER_POD" -- \ -/opt/spire/bin/spire-server entry create \ - -spiffeID spiffe://example.org/ns/spire/sa/spire-agent \ - -selector k8s_psat:cluster:demo-cluster \ - -selector k8s_psat:agent_ns:spire \ - -selector k8s_psat:agent_sa:spire-agent \ - -node -socketPath /run/spire/sockets/server.sock -} - -! IFS=$'\n' read -r -d '' snip_option_2_manual_registration_3_out <<\ENDSNIP - -Entry ID : d38c88d0-7d7a-4957-933c-361a0a3b039c -SPIFFE ID : spiffe://example.org/ns/spire/sa/spire-agent -Parent ID : spiffe://example.org/spire/server -Revision : 0 -TTL : default -Selector : k8s_psat:agent_ns:spire -Selector : k8s_psat:agent_sa:spire-agent -Selector : k8s_psat:cluster:demo-cluster -ENDSNIP - -snip_option_2_manual_registration_4() { -kubectl exec -n spire "$SPIRE_SERVER_POD" -- \ -/opt/spire/bin/spire-server entry create \ - -spiffeID spiffe://example.org/ns/istio-system/sa/istio-ingressgateway-service-account \ - -parentID spiffe://example.org/ns/spire/sa/spire-agent \ - -selector k8s:sa:istio-ingressgateway-service-account \ - -selector k8s:ns:istio-system \ - -selector k8s:pod-uid:"$INGRESS_POD_UID" \ - -dns "$INGRESS_POD" \ - -dns istio-ingressgateway.istio-system.svc \ - -socketPath /run/spire/sockets/server.sock +snip_apply_istio_operator_configuration() { +istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --skip-confirmation -f ./istio.yaml } -! IFS=$'\n' read -r -d '' snip_option_2_manual_registration_4_out <<\ENDSNIP - -Entry ID : 6f2fe370-5261-4361-ac36-10aae8d91ff7 -SPIFFE ID : spiffe://example.org/ns/istio-system/sa/istio-ingressgateway-service-account -Parent ID : spiffe://example.org/ns/spire/sa/spire-agent -Revision : 0 -TTL : default -Selector : k8s:ns:istio-system -Selector : k8s:pod-uid:63c2bbf5-a8b1-4b1f-ad64-f62ad2a69807 -Selector : k8s:sa:istio-ingressgateway-service-account -DNS name : istio-ingressgateway.istio-system.svc -DNS name : istio-ingressgateway-5b45864fd4-lgrxs -ENDSNIP - -snip_option_2_manual_registration_5() { +snip_apply_sleep() { istioctl kube-inject --filename samples/security/spire/sleep-spire.yaml | kubectl apply -f - } -snip_set_sleep_pod_vars() { -SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}") -SLEEP_POD_UID=$(kubectl get pods "$SLEEP_POD" -o jsonpath='{.metadata.uid}') -} - -snip_option_2_manual_registration_8() { -kubectl exec -n spire "$SPIRE_SERVER_POD" -- \ -/opt/spire/bin/spire-server entry create \ - -spiffeID spiffe://example.org/ns/default/sa/sleep \ - -parentID spiffe://example.org/ns/spire/sa/spire-agent \ - -selector k8s:ns:default \ - -selector k8s:pod-uid:"$SLEEP_POD_UID" \ - -dns "$SLEEP_POD" \ - -socketPath /run/spire/sockets/server.sock -} - snip_verifying_that_identities_were_created_for_workloads_1() { kubectl exec -t "$SPIRE_SERVER_POD" -n spire -c spire-server -- ./bin/spire-server entry show } @@ -315,26 +221,10 @@ openssl x509 -in chain.pem -text | grep SPIRE Subject: C = US, O = SPIRE, CN = sleep-5f4d47c948-njvpk ENDSNIP -snip_cleanup_spire_1() { -kubectl delete CustomResourceDefinition clusterspiffeids.spire.spiffe.io -kubectl delete CustomResourceDefinition clusterfederatedtrustdomains.spire.spiffe.io -kubectl delete -n spire configmap spire-bundle -kubectl delete -n spire serviceaccount spire-agent -kubectl delete -n spire configmap spire-agent -kubectl delete -n spire daemonset spire-agent -kubectl delete csidriver csi.spiffe.io -kubectl delete ValidatingWebhookConfiguration spire-controller-manager-webhook -kubectl delete -n spire configmap spire-controller-manager-config -kubectl delete -n spire configmap spire-server -kubectl delete -n spire service spire-controller-manager-webhook-service -kubectl delete -n spire service spire-server-bundle-endpoint -kubectl delete -n spire service spire-server -kubectl delete -n spire serviceaccount spire-server -kubectl delete -n spire deployment spire-server -kubectl delete clusterrole spire-server-cluster-role spire-agent-cluster-role manager-role -kubectl delete clusterrolebinding spire-server-cluster-role-binding spire-agent-cluster-role-binding manager-role-binding -kubectl delete -n spire role spire-server-role leader-election-role -kubectl delete -n spire rolebinding spire-server-role-binding leader-election-role-binding -kubectl delete namespace spire -rm istio.yaml chain.pem +snip_uninstall_spire() { +helm delete -n spire-server spire +} + +snip_uninstall_spire_crds() { +helm delete -n spire-server spire-crds } From 4ee3929b9c0bb0f05d9439471b56386c84e8e7ec Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Tue, 20 Aug 2024 14:00:12 -0400 Subject: [PATCH 13/23] Fix Signed-off-by: Benjamin Leggett --- content/en/docs/ops/integrations/spire/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index e83a7d9cb7856..2f949ead46ea3 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -94,7 +94,7 @@ $ kubectl apply -f - < Date: Tue, 20 Aug 2024 14:29:22 -0400 Subject: [PATCH 14/23] Twiddle Signed-off-by: Benjamin Leggett --- content/en/docs/ops/integrations/spire/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index 2f949ead46ea3..10295c80d253e 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -97,9 +97,11 @@ metadata: name: istio-sidecar-reg spec: spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}" + podSelector: + matchLabels: + spiffe.io/spire-managed-identity: "true" workloadSelectorTemplates: - "k8s:ns:default" - - "k8s:pod-label:spiffe.io/spire-managed-identity:true" EOF {{< /text >}} From 8141fdb21aa923a7314314e405b253080038a978 Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Tue, 20 Aug 2024 14:38:08 -0400 Subject: [PATCH 15/23] Tests Signed-off-by: Benjamin Leggett --- .../integrations/spire/automatic_registration_test.sh | 10 +++++++--- content/en/docs/ops/integrations/spire/index.md | 2 +- content/en/docs/ops/integrations/spire/snips.sh | 6 ++++-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/content/en/docs/ops/integrations/spire/automatic_registration_test.sh b/content/en/docs/ops/integrations/spire/automatic_registration_test.sh index 7e3f69d170c4e..9355d8abc9f43 100644 --- a/content/en/docs/ops/integrations/spire/automatic_registration_test.sh +++ b/content/en/docs/ops/integrations/spire/automatic_registration_test.sh @@ -22,12 +22,14 @@ set -o pipefail # @setup profile=none # Install SPIRE configured with k8s Controller Manager -snip_install_spire_with_controller_manager +snip_install_spire_crds +snip_install_spire_istio_overrides _wait_for_daemonset spire spire-agent _wait_for_deployment spire spire-server # Create ClusterSPIFFEID -snip_create_clusterspiffeid +snip_spire_csid_istio_gateway +snip_spire_csid_istio_sidecar # Install Istio set +u # Do not exit when value is unset. CHECK_FILE in the IstioOperator might be unset @@ -56,7 +58,9 @@ snip_get_sleep_svid _verify_contains snip_get_svid_subject "O = SPIRE" # @cleanup +# kubectl delete -f samples/security/spire/sleep-spire.yaml istioctl uninstall --purge --skip-confirmation kubectl delete ns istio-system -snip_cleanup_spire_1 +snip_uninstall_spire +snip_uninstall_spire_crds diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index 10295c80d253e..86bf656f201e9 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -89,7 +89,7 @@ EOF The following will create a `ClusterSPIFFEID` which will auto-register any pod with the `spiffe.io/spire-managed-identity: true` label that is deployed into the `default` namespace with SPIRE. These selectors are used as a simple example; consult the [SPIRE Controller Manager documentation](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) for more details. -{{< text syntax=bash snip_id=spire_csid_istio_gateway >}} +{{< text syntax=bash snip_id=spire_csid_istio_sidecar >}} $ kubectl apply -f - < Date: Tue, 20 Aug 2024 14:56:36 -0400 Subject: [PATCH 16/23] Fix Signed-off-by: Benjamin Leggett --- content/en/docs/ops/integrations/spire/snips.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/integrations/spire/snips.sh b/content/en/docs/ops/integrations/spire/snips.sh index b26e222154773..3e7e37f9e3cbd 100644 --- a/content/en/docs/ops/integrations/spire/snips.sh +++ b/content/en/docs/ops/integrations/spire/snips.sh @@ -46,7 +46,7 @@ spec: EOF } -snip_spire_csid_istio_gateway() { +snip_spire_csid_istio_sidecar() { kubectl apply -f - < Date: Tue, 20 Aug 2024 15:44:16 -0400 Subject: [PATCH 17/23] Wrong namespace Signed-off-by: Benjamin Leggett --- .../ops/integrations/spire/automatic_registration_test.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/ops/integrations/spire/automatic_registration_test.sh b/content/en/docs/ops/integrations/spire/automatic_registration_test.sh index 9355d8abc9f43..8ef3ac6c3ef23 100644 --- a/content/en/docs/ops/integrations/spire/automatic_registration_test.sh +++ b/content/en/docs/ops/integrations/spire/automatic_registration_test.sh @@ -24,8 +24,8 @@ set -o pipefail # Install SPIRE configured with k8s Controller Manager snip_install_spire_crds snip_install_spire_istio_overrides -_wait_for_daemonset spire spire-agent -_wait_for_deployment spire spire-server +_wait_for_daemonset spire-server spire-agent +_wait_for_deployment spire-server spire-server # Create ClusterSPIFFEID snip_spire_csid_istio_gateway From c874d6e7ef021528bc6d6a3cf4257bbe201a2523 Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Tue, 20 Aug 2024 17:23:48 -0400 Subject: [PATCH 18/23] Statefulset now Signed-off-by: Benjamin Leggett --- .../spire/automatic_registration_test.sh | 2 +- tests/util/helpers.sh | 14 +++++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/content/en/docs/ops/integrations/spire/automatic_registration_test.sh b/content/en/docs/ops/integrations/spire/automatic_registration_test.sh index 8ef3ac6c3ef23..df54f1f3544bc 100644 --- a/content/en/docs/ops/integrations/spire/automatic_registration_test.sh +++ b/content/en/docs/ops/integrations/spire/automatic_registration_test.sh @@ -25,7 +25,7 @@ set -o pipefail snip_install_spire_crds snip_install_spire_istio_overrides _wait_for_daemonset spire-server spire-agent -_wait_for_deployment spire-server spire-server +_wait_for_statefulset spire-server spire-server # Create ClusterSPIFFEID snip_spire_csid_istio_gateway diff --git a/tests/util/helpers.sh b/tests/util/helpers.sh index 46fb8a094a02f..13583c206786a 100644 --- a/tests/util/helpers.sh +++ b/tests/util/helpers.sh @@ -93,6 +93,18 @@ _wait_for_daemonset() { fi } +# Wait for rollout of named statefulset +# usage: _wait_for_statefulset +_wait_for_statefulset() { + local namespace="$1" + local name="$2" + local context="${3:-}" + if ! kubectl --context="$context" -n "$namespace" rollout status statefulset "$name" --timeout 5m; then + echo "Failed rollout of statefulset $name in namespace $namespace" + exit 1 + fi +} + # Wait for Istio config to propagate # usage: _wait_for_istio _wait_for_istio() { @@ -139,4 +151,4 @@ _rewrite_helm_repo() { cmd="$(echo "${cmd}" | sed 's|istio/gateway|manifests/charts/gateway|')" cmd="$(echo "${cmd}" | sed -E "s|(helm[[:space:]]+[^[:space:]]+)|\1 --set global.tag=${ISTIO_IMAGE_VERSION=SHOULD_BE_SET}.${ISTIO_LONG_SHA=latest}|g")" eval "${cmd}" -} \ No newline at end of file +} From 92d2855b147399efd927d5a21f7821dc43586852 Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Tue, 20 Aug 2024 19:08:14 -0400 Subject: [PATCH 19/23] Fixup Signed-off-by: Benjamin Leggett --- content/en/docs/ops/integrations/spire/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index 86bf656f201e9..2caa8af9ff9b5 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -114,7 +114,7 @@ Below are the equivalent manual registrations based off the automatic registrati 1. Get the `spire-server` pod: {{< text syntax=bash snip_id=set_spire_server_pod_name_var >}} - $ SPIRE_SERVER_POD=$(kubectl get pod -l app=spire-server -n spire -o jsonpath="{.items[0].metadata.name}") + $ SPIRE_SERVER_POD=$(kubectl get pod -l statefulset.kubernetes.io/pod-name=spire-server-0 -n spire-server -o jsonpath="{.items[0].metadata.name}") {{< /text >}} 1. Register an entry for the Istio Ingress gateway pod: @@ -316,7 +316,7 @@ to check issued identities. Use the following command to confirm that identities were created for the workloads: {{< text bash >}} -$ kubectl exec -t "$SPIRE_SERVER_POD" -n spire -c spire-server -- ./bin/spire-server entry show +$ kubectl exec -t "$SPIRE_SERVER_POD" -n spire-server -c spire-server -- ./bin/spire-server entry show Found 2 entries Entry ID : c8dfccdc-9762-4762-80d3-5434e5388ae7 SPIFFE ID : spiffe://example.org/ns/istio-system/sa/istio-ingressgateway-service-account From 5d1245212af4c6f76c4d691f08fad235ae432838 Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Tue, 20 Aug 2024 19:13:09 -0400 Subject: [PATCH 20/23] More test fixup Signed-off-by: Benjamin Leggett --- .../spire/automatic_registration_test.sh | 6 +---- .../en/docs/ops/integrations/spire/index.md | 8 +++++- .../en/docs/ops/integrations/spire/snips.sh | 25 +++---------------- 3 files changed, 11 insertions(+), 28 deletions(-) diff --git a/content/en/docs/ops/integrations/spire/automatic_registration_test.sh b/content/en/docs/ops/integrations/spire/automatic_registration_test.sh index df54f1f3544bc..b64cde4edff76 100644 --- a/content/en/docs/ops/integrations/spire/automatic_registration_test.sh +++ b/content/en/docs/ops/integrations/spire/automatic_registration_test.sh @@ -46,12 +46,8 @@ _wait_for_deployment default sleep # Set spire-server pod variable snip_set_spire_server_pod_name_var -# Verify registration identities were created for sleep and ingress gateway -_verify_contains snip_verifying_that_identities_were_created_for_workloads_1 "spiffe://example.org/ns/default/sa/sleep" -_verify_contains snip_verifying_that_identities_were_created_for_workloads_1 "spiffe://example.org/ns/istio-system/sa/istio-ingressgateway-service-account" - # Set sleep pod and pod uid variables -snip_set_sleep_pod_vars +snip_set_sleep_pod_var # Verify sleep workload identity was issued by SPIRE snip_get_sleep_svid diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index 2caa8af9ff9b5..9d38c7d40a062 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -315,7 +315,7 @@ to check issued identities. Use the following command to confirm that identities were created for the workloads: -{{< text bash >}} +{{< text syntax=bash snip_id=none>}} $ kubectl exec -t "$SPIRE_SERVER_POD" -n spire-server -c spire-server -- ./bin/spire-server entry show Found 2 entries Entry ID : c8dfccdc-9762-4762-80d3-5434e5388ae7 @@ -348,6 +348,12 @@ After registering an entry for the Ingress-gateway pod, Envoy receives the ident ### Check that the workload identity was issued by SPIRE +1. Get pod information: + + {{< text syntax=bash snip_id=set_sleep_pod_var >}} + $ SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}") + {{< /text >}} + 1. Retrieve sleep's SVID identity document using the istioctl proxy-config secret command: {{< text syntax=bash snip_id=get_sleep_svid >}} diff --git a/content/en/docs/ops/integrations/spire/snips.sh b/content/en/docs/ops/integrations/spire/snips.sh index 3e7e37f9e3cbd..3a6122e3e4f10 100644 --- a/content/en/docs/ops/integrations/spire/snips.sh +++ b/content/en/docs/ops/integrations/spire/snips.sh @@ -63,7 +63,7 @@ EOF } snip_set_spire_server_pod_name_var() { -SPIRE_SERVER_POD=$(kubectl get pod -l app=spire-server -n spire -o jsonpath="{.items[0].metadata.name}") +SPIRE_SERVER_POD=$(kubectl get pod -l statefulset.kubernetes.io/pod-name=spire-server-0 -n spire-server -o jsonpath="{.items[0].metadata.name}") } snip_option_2_manual_registration_2() { @@ -187,29 +187,10 @@ snip_apply_sleep() { istioctl kube-inject --filename samples/security/spire/sleep-spire.yaml | kubectl apply -f - } -snip_verifying_that_identities_were_created_for_workloads_1() { -kubectl exec -t "$SPIRE_SERVER_POD" -n spire -c spire-server -- ./bin/spire-server entry show +snip_set_sleep_pod_var() { +SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}") } -! IFS=$'\n' read -r -d '' snip_verifying_that_identities_were_created_for_workloads_1_out <<\ENDSNIP -Found 2 entries -Entry ID : c8dfccdc-9762-4762-80d3-5434e5388ae7 -SPIFFE ID : spiffe://example.org/ns/istio-system/sa/istio-ingressgateway-service-account -Parent ID : spiffe://example.org/spire/agent/k8s_psat/demo-cluster/bea19580-ae04-4679-a22e-472e18ca4687 -Revision : 0 -X509-SVID TTL : default -JWT-SVID TTL : default -Selector : k8s:pod-uid:88b71387-4641-4d9c-9a89-989c88f7509d - -Entry ID : af7b53dc-4cc9-40d3-aaeb-08abbddd8e54 -SPIFFE ID : spiffe://example.org/ns/default/sa/sleep -Parent ID : spiffe://example.org/spire/agent/k8s_psat/demo-cluster/bea19580-ae04-4679-a22e-472e18ca4687 -Revision : 0 -X509-SVID TTL : default -JWT-SVID TTL : default -Selector : k8s:pod-uid:ee490447-e502-46bd-8532-5a746b0871d6 -ENDSNIP - snip_get_sleep_svid() { istioctl proxy-config secret "$SLEEP_POD" -o json | jq -r \ '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode > chain.pem From d3b0dd737a4ca2a690078b06d5a7298fc106dc46 Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Tue, 20 Aug 2024 19:25:50 -0400 Subject: [PATCH 21/23] fix Signed-off-by: Benjamin Leggett --- content/en/docs/ops/integrations/spire/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index 9d38c7d40a062..b5efe92d84150 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -315,7 +315,7 @@ to check issued identities. Use the following command to confirm that identities were created for the workloads: -{{< text syntax=bash snip_id=none>}} +{{< text syntax=bash snip_id=none >}} $ kubectl exec -t "$SPIRE_SERVER_POD" -n spire-server -c spire-server -- ./bin/spire-server entry show Found 2 entries Entry ID : c8dfccdc-9762-4762-80d3-5434e5388ae7 From a0c976fd0b301c654e647f0ccf3defef6b6ca21e Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Wed, 21 Aug 2024 12:34:25 -0400 Subject: [PATCH 22/23] Reviews, testfix Signed-off-by: Benjamin Leggett --- .../spire/automatic_registration_test.sh | 1 + content/en/docs/ops/integrations/spire/index.md | 12 ++++-------- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/content/en/docs/ops/integrations/spire/automatic_registration_test.sh b/content/en/docs/ops/integrations/spire/automatic_registration_test.sh index b64cde4edff76..a5f9bdb497afb 100644 --- a/content/en/docs/ops/integrations/spire/automatic_registration_test.sh +++ b/content/en/docs/ops/integrations/spire/automatic_registration_test.sh @@ -60,3 +60,4 @@ istioctl uninstall --purge --skip-confirmation kubectl delete ns istio-system snip_uninstall_spire snip_uninstall_spire_crds +kubectl delete ns spire-server diff --git a/content/en/docs/ops/integrations/spire/index.md b/content/en/docs/ops/integrations/spire/index.md index b5efe92d84150..06e2e1670b3b8 100644 --- a/content/en/docs/ops/integrations/spire/index.md +++ b/content/en/docs/ops/integrations/spire/index.md @@ -30,18 +30,14 @@ $ helm upgrade --install -n spire-server spire-crds spire-crds --repo https://sp {{< /text >}} {{< text syntax=bash snip_id=install_spire_istio_overrides >}} -$ helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ --wait -f - <}} {{< tip >}} See the [SPIRE Helm chart](https://artifacthub.io/packages/helm/spiffe/spire) documentation for other values you can configure for your installation. -{{< /tip >}} -It is important that SPIRE and Istio are configured with the exact same trust domain, to prevent authentication and authorization errors. +It is important that SPIRE and Istio are configured with the exact same trust domain, to prevent authentication and authorization errors, and that the [SPIFFE CSI driver](https://github.com/spiffe/spiffe-csi) is enabled and installed. +{{< /tip >}} By default, the above will also install: @@ -368,7 +364,7 @@ After registering an entry for the Ingress-gateway pod, Envoy receives the ident Subject: C = US, O = SPIRE, CN = sleep-5f4d47c948-njvpk {{< /text >}} -## SPIFFE Federation +## SPIFFE federation SPIRE Servers are able to authenticate SPIFFE identities originating from different trust domains. This is known as SPIFFE federation. From 055d589f981d0fb606c76f31c3639c7b7ad131f4 Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Wed, 21 Aug 2024 13:07:57 -0400 Subject: [PATCH 23/23] Gen Signed-off-by: Benjamin Leggett --- content/en/docs/ops/integrations/spire/snips.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/content/en/docs/ops/integrations/spire/snips.sh b/content/en/docs/ops/integrations/spire/snips.sh index 3a6122e3e4f10..5b83dfd48aae3 100644 --- a/content/en/docs/ops/integrations/spire/snips.sh +++ b/content/en/docs/ops/integrations/spire/snips.sh @@ -25,11 +25,7 @@ helm upgrade --install -n spire-server spire-crds spire-crds --repo https://spif } snip_install_spire_istio_overrides() { -helm upgrade --install -n spire-server spire spire --repo https://spiffe.github.io/helm-charts-hardened/ --wait -f - <