This demo uses SPIFFE/SPIRE https://github.com/spiffe/spire and is based on the SPIRE federation tutorial https://github.com/spiffe/spire-tutorials/tree/master/docker-compose/federation.
The prerequisites to deploy the Federated SPIRE demo include
- 2x K8s clusters (Note that sizing of the clusters depends on the workloads. SPIRE only works on single node clusters)
- kubectl CLI and connectivity to both K8s clusters (-> kubeconfig)
Step 1. Clone this repository to your user directory so that the following commands are successful
$ cd ~/spire-federation-master/participant-a/
$ cd ~/spire-federation-master/participant-b/
Step 2. Setup Spire Environments
Open a CLI window and connect to the Participant-A cluster and execute
$ cd ~/spire-federation-master/
$ kubectl apply -k ./participant-a/
Open another CLI window and connect to the Participant-B cluster and execute
$ cd ~/spire-federation-master/
$ kubectl apply -k ./participant-b/
Step 3. Check external IP addresses of spire-servers Execute the following command on both clusters and note the external IP address of the SPIRE server service
$ kubectl get services -n spire
The output should look like
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
spire-server ClusterIP X.X.X.X **X.X.X.X** 80/TCP 50s
Step 4. Update the SPIRE server-configmap Execute the following command in the CLI connected to the Participant-A cluster
$ cd ~/spire-federation-master/participant-a/
$ vi server-configmap.yaml
Go to the line federates_with "partb.org" and enter the IP address of Participant-B SPIRE server service below in the address-attribute and save the file.
$ kubectl apply-f server-configmap.yaml
$ kubectl delete pod spire-server-0
Execute the following command in the CLI connected to the Participant-B cluster
$ cd ~/spire-federation-master/participant-b/
$ vi server-configmap.yaml
Go to the line federates_with "parta.org" and enter the IP address of Participant-A SPIRE server service below in the address-attribute and save the file.
$ kubectl apply-f server-configmap.yaml
$ kubectl delete pod spire-server-0
Note that if the standard configuration of the SPIRE service is a nodeport. It may be required to change server-service.yaml and change the nodeport to loadbalancer to get a workable external IP address.
Step 5. Export each bundle
Execute the following command in the CLI connected to the Participant-A cluster
$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server bundle show -format spiffe > partA.bundle
Execute the following command in the CLI connected to the Participant-B cluster
$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server bundle show -format spiffe > partB.bundle
Step 6. Copy bundle into spire-server container
Execute the following command in the CLI connected to the Participant-A cluster
$ kubectl cp ~/partB.bundle spire/spire-server-0:/
Execute the following command in the CLI connected to the Participant-B cluster
$ kubectl cp ~/partA.bundle spire/spire-server-0:/
Step 7. Set bundle Execute the following command in the CLI connected to the Participant-A cluster
$ ./federate.sh partb.org partB.bundle
Execute the following command in the CLI connected to the Participant-B cluster
$ ./federate.sh parta.org partA.bundle
Step 8. Check in both clusters if bundle is refreshed and available
$ kubectl logs -n spire spire-server-0 | grep '"Bundle refreshed"\|"Bundle set successfully"'
$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server bundle list -format spiffe
Step 9. Create node registration entries for the SPIRE agents Execute the following command in the CLI connected to the Participant-A cluster
$ cd participant-a/
$ ./create-node-registration-entry.sh
Execute the following command in the CLI connected to the Participant-B cluster
$ cd participant-b/
$ ./create-node-registration-entry.sh
In order to test federation and defederation of trust the following can be used for testing.
$ cd ~/spire-federation-master/
$ ls -als
The scripts federate.sh and defederate.sh occur in the output. $ ./federate.sh $1 $2 with $1 being the trust domain to be federated and $2 being the corresponding trust bundle sets the federation in the SPIRE server of the K8s cluster connected to.
$ ./defederate.sh $1 with $1 being the trust domain to be defederated removes the trust bundle and federation from the SPIRE server of the K8s cluster connected to. Please note that defederate.sh also removes all SPIFFE ID registrations federating with the trust domain being removed.
Several options can be used to integrate with SPIRE to use SPIFFE IDs and SVIDs for mutual authentication and secure communication. The easiest way to move forward with cloud-native workloads could be
- SPIRE Envoy tutorial https://github.com/spiffe/spire-tutorials/tree/master/k8s/envoy-x509 Alternatively, the community provides the following client libraries to implement microservices consuming SPIFFE IDs and SVIDs
- GO lib https://github.com/spiffe/go-spiffe
- Python lib https://github.com/HewlettPackard/py-spiffe
- Java lib https://github.com/spiffe/java-spiffe
- C/C++ lib https://github.com/HewlettPackard/c-spiffe
- You have two running Kubernetes Clusters machines that can reach each other
- Install WSL on your Windows PC (https://docs.microsoft.com/de-de/windows/wsl/install-win10)
- You have kubectl installed on your WSL (https://kubernetes.io/de/docs/tasks/tools/install-kubectl/)
- On your Windows PC: Clone this repository to
C:/so that it will look likeC:/spire-federated
- Load external kubeconfigs into folder
C:/spire-federated/- Typically on k3os the kubeconfig is in
/etc/rancer/k3s/k3s.yaml - Rename kubeconfigs to "kubeconfig-part-a" and "kubeconfig-part-b" (no file ending)
C:/spire-federated/kubeconfig-part-aC:/spire-federated/kubeconfig-part-b
- Configure IP-address in kubeconfig from localhost to the serves' IP-addresses
- Typically on k3os the kubeconfig is in
optional:
- To use the kubeconfigs: add --kubeconfig-flag to kubectl command
ex: kubectl get ns --kubeconfig=C:/spire-federated/kubeconfig-part-a
- To delete all existing resources:
kubectl delete all --all -n {namespace} --kubeconfig=/<dir-kubeconfig>/<kubeconfig-file-name>
sudo bash autosetup.sh domain-a ip-a domain-b ip-b
Example:
sudo bash autosetup.sh participant-a.org 192.168.178.10 participant-b.org 192.168.178.11
- Dominik Dufner, HPE
- Anne Huesges, HPE