mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
153 lines
5.1 KiB
Plaintext
153 lines
5.1 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/zero_trust_workload_identity_manager/zero-trust-manager-spire-federation.adoc
|
|
|
|
:_mod-docs-content-type: REFERENCE
|
|
[id="zero-trust-manager-config-example_{context}"]
|
|
= Federation configuration examples
|
|
|
|
[role="_abstract"]
|
|
The following examples demonstrate different SPIRE federation configurations. Use these as templates when setting up federation between your clusters.
|
|
|
|
Example 1: Using ACME for automatic certificate management::
|
|
|
|
The following example shows how to configure federation using Let's Encrypt for automatic certificate provisioning and renewal:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: operator.openshift.io/v1alpha1
|
|
kind: SpireServer
|
|
metadata:
|
|
name: cluster
|
|
spec:
|
|
trustDomain: cluster1.example.com
|
|
federation:
|
|
bundleEndpoint:
|
|
profile: https_web
|
|
refreshHint: 300
|
|
httpsWeb:
|
|
acme:
|
|
directoryUrl: https://acme-v02.api.letsencrypt.org/directory
|
|
domainName: federation.apps.cluster1.example.com
|
|
email: admin@example.com
|
|
tosAccepted: "true"
|
|
federatesWith:
|
|
- trustDomain: cluster2.example.com
|
|
bundleEndpointUrl: https://federation.apps.cluster2.example.com
|
|
bundleEndpointProfile: https_web
|
|
- trustDomain: cluster3.example.com
|
|
bundleEndpointUrl: https://federation.apps.cluster3.example.com
|
|
bundleEndpointProfile: https_web
|
|
managedRoute: "true"
|
|
----
|
|
|
|
* The `profile` field uses `https_web` profile for Web PKI certificate-based authentication.
|
|
|
|
* The `directoryURL` field is used for the production directory. For testing, use staging URL `https://acme-staging-v02.api.letsencrypt.org/directory`
|
|
|
|
Example 2: Using manual certificate management with cert-manager::
|
|
|
|
The following example shows how to configure federation using externally managed certificates:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: operator.openshift.io/v1alpha1
|
|
kind: SpireServer
|
|
metadata:
|
|
name: cluster
|
|
spec:
|
|
trustDomain: cluster1.example.com
|
|
federation:
|
|
bundleEndpoint:
|
|
profile: https_web
|
|
refreshHint: 300
|
|
httpsWeb:
|
|
servingCert:
|
|
fileSyncInterval: 86400
|
|
externalSecretRef: spire-server-federation-tls
|
|
federatesWith:
|
|
- trustDomain: cluster2.example.com
|
|
bundleEndpointUrl: https://federation.apps.cluster2.example.com
|
|
bundleEndpointProfile: https_web
|
|
- trustDomain: cluster3.example.com
|
|
bundleEndpointUrl: https://federation.apps.cluster3.example.com
|
|
bundleEndpointProfile: https_web
|
|
managedRoute: "true"
|
|
----
|
|
|
|
* The `fileSyncInterval` field checks for certificate updates every 24 hours.
|
|
|
|
* The `externalSecretRef` field is the name of the Kubernetes Secret containing `tls.crt` and `tls.key`
|
|
|
|
Example 3: Using https_spiffe profile for SPIRE-to-SPIRE federation::
|
|
|
|
The following example shows how to configure federation using SPIFFE-based TLS authentication:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: operator.openshift.io/v1alpha1
|
|
kind: SpireServer
|
|
metadata:
|
|
name: cluster
|
|
spec:
|
|
trustDomain: cluster1.example.com
|
|
federation:
|
|
bundleEndpoint:
|
|
profile: https_spiffe
|
|
refreshHint: 300
|
|
federatesWith:
|
|
- trustDomain: cluster2.example.com
|
|
bundleEndpointUrl: https://federation.apps.cluster2.example.com
|
|
bundleEndpointProfile: https_spiffe
|
|
endpointSpiffeId: spiffe://cluster2.example.com/spire/server
|
|
- trustDomain: cluster3.example.com
|
|
bundleEndpointUrl: https://federation.apps.cluster3.example.com
|
|
bundleEndpointProfile: https_spiffe
|
|
endpointSpiffeId: spiffe://cluster3.example.com/spire/server
|
|
managedRoute: "true"
|
|
----
|
|
|
|
* The `profile` field uses `https_spiffe` profile for SPIFFE-based TLS authentication.
|
|
|
|
* The `endpointSiffeId` field contains the SPIFFE ID of the remote SPIRE server, required for identity validation.
|
|
|
|
Example 4: Mixed federation with multiple authentication profiles::
|
|
|
|
The following example shows a cluster federating with multiple remote clusters using different authentication profiles:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: operator.openshift.io/v1alpha1
|
|
kind: SpireServer
|
|
metadata:
|
|
name: cluster
|
|
spec:
|
|
trustDomain: internal-cluster.example.com
|
|
federation:
|
|
bundleEndpoint:
|
|
profile: https_spiffe
|
|
refreshHint: 300
|
|
federatesWith:
|
|
# Internal cluster using SPIFFE TLS
|
|
- trustDomain: dev-cluster.example.com
|
|
bundleEndpointUrl: https://federation.apps.dev-cluster.example.com
|
|
bundleEndpointProfile: https_spiffe
|
|
endpointSpiffeId: spiffe://dev-cluster.example.com/spire/server
|
|
# External partner using Web PKI
|
|
- trustDomain: partner.example.com
|
|
bundleEndpointUrl: https://federation.partner.example.com
|
|
bundleEndpointProfile: https_web
|
|
# Another external partner using Web PKI
|
|
- trustDomain: vendor.example.com
|
|
bundleEndpointUrl: https://spire-federation.vendor.example.com
|
|
bundleEndpointProfile: https_web
|
|
managedRoute: "true"
|
|
----
|
|
|
|
* The `profile` field cluster exposes its bundle using `https_spiffe` profile.
|
|
|
|
* The `bundleEndpointProfile` field cluster exposes its bundle using `https_spiffe` profile.
|
|
|
|
|
|
|