mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
166 lines
6.5 KiB
Plaintext
166 lines
6.5 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/zero_trust_workload_identity_manageer/zero-trust-manager-configuration.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="zero-trust-manager-spire-server-config_{context}"]
|
|
= Deploying the SPIRE Server
|
|
|
|
[role="_abstract"]
|
|
Deploy the SPIRE Server by configuring the `SpireServer` custom resource (CR). This establishes a central authority that manages and issues identities to the workloads in your cluster.
|
|
|
|
.Prerequisites
|
|
|
|
* You have access to the cluster as a user with the `cluster-admin` role.
|
|
|
|
* You have installed {zero-trust-full} in the cluster.
|
|
|
|
.Procedure
|
|
|
|
. Create the `SpireServer` CR:
|
|
|
|
.. Create a YAML file that defines the `SpireServer` CR, for example, `SpireServer.yaml`:
|
|
+
|
|
.Example `SpireServer.yaml`
|
|
+
|
|
[source,yaml]
|
|
----
|
|
aapiVersion: operator.openshift.io/v1alpha1
|
|
kind: SpireServer
|
|
metadata:
|
|
name: cluster
|
|
spec:
|
|
logLevel: "info"
|
|
logFormat: "text"
|
|
jwtIssuer: "https://oidc-discovery.apps.cluster.example.com"
|
|
caValidity: "24h"
|
|
defaultX509Validity: "1h"
|
|
defaultJWTValidity: "5m"
|
|
jwtKeyType: "rsa-248"
|
|
caSubject:
|
|
country: "US"
|
|
organization: "Example Corporation"
|
|
commonName: "SPIRE Server CA"
|
|
persistence:
|
|
size: "5Gi"
|
|
accessMode: "ReadWriteOnce"
|
|
storageClass: "gp3-csi"
|
|
datastore:
|
|
databaseType: "sqlite3"
|
|
connectionString: "/run/spire/data/datastore.sqlite3"
|
|
tlsSecretName: ""
|
|
maxOpenConns: 100
|
|
maxIdleConns: 10
|
|
connMaxLifetime: 0
|
|
disableMigration: "false"
|
|
federation:
|
|
bundleEndpoint:
|
|
profile: "https_spiffe"
|
|
refreshHint: 300
|
|
federatesWith: []
|
|
managedRoute: "true"
|
|
----
|
|
where:
|
|
|
|
name:: Specifies that the value mmust be 'cluster'.
|
|
|
|
logLevel:: Specifies the logging level for the SPIRE Server. The valid options are `debug`, `info`, `warn`, and `error`.
|
|
|
|
logFormat:: Specifies the logging format for the SPIRE Server. The valid options are `text` and `json`.
|
|
|
|
jwtIssuer:: Specifies the JWT issuer URL. Must be a valid HTTPS or HTTP URL with a maximum length of 512 characters.
|
|
|
|
caValidity:: Specifies the validity period (Time to Live (TTL)) for the SPIRE Server's CA certificate. This determines how long the server's root or intermediate certificate is valid. The format is a duration string (for example, `24h`, `168h`).
|
|
|
|
defaultX509Validity:: Specifies the default validity period (TTL) for X.509 SVIDs issued to workloads. This value is used if a specific TTL is not configured for a registration entry.
|
|
|
|
defaultJWTValidity:: Specifies thedefault validity period (TTL) for JWT SVIDs issued to workloads. This value is used if a specific TTL is not configured for a registration entry.
|
|
|
|
jwtKeyType:: Specifies the key type used for JWT signing. The valid options are `rsa-2048`, `rsa-4096`, `ec-p256`, and `ec-p384`. This field is optional.
|
|
|
|
country:: Specifies the country for the SPIRE Server certificate authority (CA). Must be an ISO 3166-1 alpha-2 country code (2 characters).
|
|
|
|
organization:: Specifies the organization for the SPIRE Server CA. Maximum length is 64 characters.
|
|
|
|
commonName:: Specifies the common name for the SPIRE Server CA. Maximum length is 255 characters.
|
|
|
|
size:: Specifies the size of the persistent volume (for example, `1Gi`, `5Gi`). Once set, this field is immutable.
|
|
|
|
accessMode:: Specifies the access mode for the persistent volume. The valid options are `ReadWriteOnce`, `ReadWriteOncePod`, and `ReadWriteMany`. Once set, this field is immutable.
|
|
|
|
storageClass:: Specifies the storage class to be used for the PVC. Once set, this field is immutable.
|
|
|
|
databaseType:: Specifies the type of database to use for the datastore. The valid options are `sql`, `sqlite3`, `postgres`, `mysql`, `aws_postgresql`, and `aws_mysql`.
|
|
|
|
connectionString:: Specifies the connection string for the database. For PostgreSQL with SSL, include `sslmode` and certificate paths (for example, `dbname=spire user=spire host=postgres.example.com sslmode=verify-full`).
|
|
|
|
tlsSecretName:: Specifies the name of a Kubernetes Secret containing TLS certificates for database connections. The Secret will be mounted at `/run/spire/db/certs`. This field is optional.
|
|
|
|
maxOpenConns:: Specifies the maximum number of open database connections. Must be between 1 and 10000.
|
|
|
|
maxIdleConns:: Specifies the maximum number of idle database connections in the pool. Must be between 0 and 10000.
|
|
|
|
connMaxLifetime:: Specifies the maximum lifetime of a database connection in seconds. A value of 0 means connections are not closed due to age.
|
|
|
|
disableMigration:: Specifies whether to disable automatic database migration. The valid options are `true` and `false`.
|
|
|
|
profile:: Specifies the bundle endpoint authentication profile for federation. The valid options are `https_spiffe` and `https_web`.
|
|
|
|
refreshHint:: Specifies the hint for bundle refresh interval in seconds. Must be between 60 and 3600.
|
|
|
|
federatesWith:: Specifies the list of trust domains this cluster federates with. Each entry requires `trustDomain`, `bundleEndpointUrl`, and `bundleEndpointProfile`.
|
|
|
|
managedRoute:: Specifies either enabling or disabling automatic route creation for the federation endpoint. Set to `true` to allow automatic exposure through a managed OpenShift Route, or `false` to manually configure routing.
|
|
|
|
.. Apply the configuration by running the following command:
|
|
+
|
|
[source, terminal]
|
|
----
|
|
$ oc apply -f SpireServer.yaml
|
|
----
|
|
|
|
.Verification
|
|
|
|
* Verify that the stateful set of SPIRE Server is ready and available by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get statefulset -l app.kubernetes.io/name=server -n zero-trust-workload-identity-manager
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME READY AGE
|
|
spire-server 1/1 65s
|
|
----
|
|
|
|
* Verify that the status of the SPIRE Server pod is `Running` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get po -l app.kubernetes.io/name=server -n zero-trust-workload-identity-manager
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME READY STATUS RESTARTS AGE
|
|
spire-server-0 2/2 Running 1 (108s ago) 111s
|
|
----
|
|
|
|
* Verify that the persistent volume claim (PVC) is bound, by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pvc -l app.kubernetes.io/name=server -n zero-trust-workload-identity-manager
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTECLASS AGE
|
|
spire-data-spire-server-0 Bound pvc-27a36535-18a1-4fde-ab6d-e7ee7d3c2744 5Gi RW0 gp3-csi <unset> 22m
|
|
----
|
|
|