openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
498a426b6c7a45cdc19a8f6078cf5d5884d2ff68
openshift-docs/modules/zero-trust-manager-deploy-app.adoc
William Gabor ee9633c395 OSDOCS-16120 updated modules
2025-09-17 13:55:27 +00:00

129 lines
3.5 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc
:_mod-docs-content-type: PROCEDURE
[id="zero-trust-manager-deploy-app_{context}"]
= Deploying the workload application
Once the demonstration application has been created.
.Prerequisites
* The demonstration application has been created and deployed.
.Procedure
. To deploy the application, copy the entire command block provided and paste it directly into your terminal. Press *Enter*.
+
[source,terminal]
----
$ oc apply -f - << EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: $APP_NAME
namespace: $APP_NAMESPACE
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: $APP_NAME
namespace: $APP_NAMESPACE
spec:
selector:
matchLabels:
app: $APP_NAME
template:
metadata:
labels:
app: $APP_NAME
deployment: $APP_NAME
spec:
serviceAccountName: $APP_NAME
containers:
- name: $APP_NAME
image: "registry.redhat.io/ubi9/python-311:latest"
command:
- /bin/bash
- "-c"
- |
#!/bin/bash
pip install spiffe azure-cli
cat << EOF > /opt/app-root/src/get-spiffe-token.py
#!/opt/app-root/bin/python
from spiffe import JwtSource
import argparse
parser = argparse.ArgumentParser(description='Retrieve SPIFFE Token.')
parser.add_argument("-a", "--audience", help="The audience to include in the token", required=True)
args = parser.parse_args()
with JwtSource() as source:
jwt_svid = source.fetch_svid(audience={args.audience})
print(jwt_svid.token)
EOF
chmod +x /opt/app-root/src/get-spiffe-token.py
while true; do sleep 10; done
envFrom:
- secretRef:
name: $APP_NAME
env:
- name: SPIFFE_ENDPOINT_SOCKET
value: unix:///run/spire/sockets/spire-agent.sock
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
ports:
- containerPort: 8080
protocol: TCP
volumeMounts:
- name: spiffe-workload-api
mountPath: /run/spire/sockets
readOnly: true
volumes:
- name: spiffe-workload-api
csi:
driver: csi.spiffe.io
readOnly: true
EOF
----
.Verification
. Ensure that the `workload-app` pod is running successfully by running the following command:
+
[source,terminal]
----
$ oc get pods -n $APP_NAMESPACE
----
+
.Example output
[source, terminal]
----
NAME READY STATUS RESTARTS AGE
workload-app-5f8b9d685b-abcde 1/1 Running 0 60s
----
. Retrieve the SPIFFE JWT Token (SVID-JWT):
.. Get the pod name dynamically by running the following command:
+
[source,terminal]
----
$ POD_NAME=$(oc get pods -n $APP_NAMESPACE -l app=$APP_NAME -o jsonpath='{.items[0].metadata.name}')
----
.. Run the script inside the pod by running the following command:
+
[source,terminal]
----
$ oc exec -it $POD_NAME -n $APP_NAMESPACE -- \
/opt/app-root/src/get-spiffe-token.py -a "api://AzureADTokenExchange"
----
View Git Blame Copy Permalink