Giter VIP home page Giter VIP logo

spire-federation's Introduction

Federated SPIRE

This demo uses SPIFFE/SPIRE https://github.com/spiffe/spire and is based on the SPIRE federation tutorial https://github.com/spiffe/spire-tutorials/tree/master/docker-compose/federation.

Manual setup

Prerequisites

The prerequisites to deploy the Federated SPIRE demo include

  • 2x K8s clusters (Note that sizing of the clusters depends on the workloads. SPIRE only works on single node clusters)
  • kubectl CLI and connectivity to both K8s clusters (-> kubeconfig)

A federated SPIRE architecture setup involves the following generic steps:

Step 1. Clone this repository to your user directory so that the following commands are successful

$ cd ~/spire-federation-master/participant-a/
$ cd ~/spire-federation-master/participant-b/

Step 2. Setup Spire Environments
Open a CLI window and connect to the Participant-A cluster and execute

$ cd ~/spire-federation-master/
$ kubectl apply -k ./participant-a/

Open another CLI window and connect to the Participant-B cluster and execute

$ cd ~/spire-federation-master/
$ kubectl apply -k ./participant-b/

Step 3. Check external IP addresses of spire-servers Execute the following command on both clusters and note the external IP address of the SPIRE server service

$ kubectl get services -n spire

The output should look like

NAME           TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
spire-server   ClusterIP   X.X.X.X      **X.X.X.X**   80/TCP    50s

Step 4. Update the SPIRE server-configmap Execute the following command in the CLI connected to the Participant-A cluster

$ cd ~/spire-federation-master/participant-a/
$ vi server-configmap.yaml

Go to the line federates_with "partb.org" and enter the IP address of Participant-B SPIRE server service below in the address-attribute and save the file.

$ kubectl apply-f server-configmap.yaml
$ kubectl delete pod spire-server-0

Execute the following command in the CLI connected to the Participant-B cluster

$ cd ~/spire-federation-master/participant-b/
$ vi server-configmap.yaml

Go to the line federates_with "parta.org" and enter the IP address of Participant-A SPIRE server service below in the address-attribute and save the file.

$ kubectl apply-f server-configmap.yaml
$ kubectl delete pod spire-server-0

Note that if the standard configuration of the SPIRE service is a nodeport. It may be required to change server-service.yaml and change the nodeport to loadbalancer to get a workable external IP address.

Step 5. Export each bundle
Execute the following command in the CLI connected to the Participant-A cluster

$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server bundle show -format spiffe > partA.bundle

Execute the following command in the CLI connected to the Participant-B cluster

$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server bundle show -format spiffe > partB.bundle

Step 6. Copy bundle into spire-server container
Execute the following command in the CLI connected to the Participant-A cluster

$ kubectl cp ~/partB.bundle spire/spire-server-0:/

Execute the following command in the CLI connected to the Participant-B cluster

$ kubectl cp ~/partA.bundle spire/spire-server-0:/

Step 7. Set bundle Execute the following command in the CLI connected to the Participant-A cluster

$ ./federate.sh partb.org partB.bundle

Execute the following command in the CLI connected to the Participant-B cluster

$ ./federate.sh parta.org partA.bundle

Step 8. Check in both clusters if bundle is refreshed and available

$ kubectl logs -n spire spire-server-0 | grep '"Bundle refreshed"\|"Bundle set successfully"'
$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server bundle list -format spiffe

Step 9. Create node registration entries for the SPIRE agents Execute the following command in the CLI connected to the Participant-A cluster

$ cd participant-a/
$ ./create-node-registration-entry.sh

Execute the following command in the CLI connected to the Participant-B cluster

$ cd participant-b/
$ ./create-node-registration-entry.sh

Playground

In order to test federation and defederation of trust the following can be used for testing.

Scripts

$ cd ~/spire-federation-master/
$ ls -als

The scripts federate.sh and defederate.sh occur in the output. $ ./federate.sh $1 $2 with $1 being the trust domain to be federated and $2 being the corresponding trust bundle sets the federation in the SPIRE server of the K8s cluster connected to. $ ./defederate.sh $1 with $1 being the trust domain to be defederated removes the trust bundle and federation from the SPIRE server of the K8s cluster connected to. Please note that defederate.sh also removes all SPIFFE ID registrations federating with the trust domain being removed.

Integration

Several options can be used to integrate with SPIRE to use SPIFFE IDs and SVIDs for mutual authentication and secure communication. The easiest way to move forward with cloud-native workloads could be

Automatic setup (highly dependend on environment)

Requirements:

  1. You have two running Kubernetes Clusters machines that can reach each other
  2. Install WSL on your Windows PC (https://docs.microsoft.com/de-de/windows/wsl/install-win10)
  3. You have kubectl installed on your WSL (https://kubernetes.io/de/docs/tasks/tools/install-kubectl/)
  4. On your Windows PC: Clone this repository to C:/ so that it will look like C:/spire-federated

Preparation:

  1. Load external kubeconfigs into folder C:/spire-federated/
    • Typically on k3os the kubeconfig is in /etc/rancer/k3s/k3s.yaml
    • Rename kubeconfigs to "kubeconfig-part-a" and "kubeconfig-part-b" (no file ending)
      • C:/spire-federated/kubeconfig-part-a
      • C:/spire-federated/kubeconfig-part-b
    • Configure IP-address in kubeconfig from localhost to the serves' IP-addresses

     optional:
     - To use the kubeconfigs: add --kubeconfig-flag to kubectl command
       ex: kubectl get ns --kubeconfig=C:/spire-federated/kubeconfig-part-a
     - To delete all existing resources:
       kubectl delete all --all -n {namespace} --kubeconfig=/<dir-kubeconfig>/<kubeconfig-file-name>

Auto setup:

sudo bash autosetup.sh domain-a ip-a domain-b ip-b
Example:
sudo bash autosetup.sh participant-a.org 192.168.178.10 participant-b.org 192.168.178.11

Main contributors to this demo

  • Dominik Dufner, HPE
  • Anne Huesges, HPE

spire-federation's People

Contributors

flobuehr avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

christemporale akanshasajimon

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.