From 6666f0940a36edeaf4be6dbd066c94c75f107905 Mon Sep 17 00:00:00 2001 From: Guilherme Carvalho Date: Wed, 8 Mar 2023 10:06:45 -0300 Subject: [PATCH 1/2] Use kind in simple_sat, simple_psat and postgres examples Signed-off-by: Guilherme Carvalho --- examples/k8s/postgres/README.md | 7 +- examples/k8s/postgres/spire-agent.yaml | 3 + examples/k8s/postgres/spire-database.yaml | 4 ++ examples/k8s/postgres/spire-server.yaml | 43 ++++++++--- examples/k8s/postgres/test.sh | 84 +++++++++++++--------- examples/k8s/simple_psat/README.md | 24 ++----- examples/k8s/simple_psat/spire-agent.yaml | 3 + examples/k8s/simple_psat/spire-server.yaml | 5 ++ examples/k8s/simple_psat/test.sh | 80 ++++++++++++--------- examples/k8s/simple_sat/README.md | 6 ++ examples/k8s/simple_sat/spire-agent.yaml | 7 +- examples/k8s/simple_sat/spire-server.yaml | 46 +++++++++--- examples/k8s/simple_sat/test.sh | 79 +++++++++++--------- examples/k8s/test-all.sh | 39 +++++----- 14 files changed, 274 insertions(+), 156 deletions(-) diff --git a/examples/k8s/postgres/README.md b/examples/k8s/postgres/README.md index 29fe031..048c792 100644 --- a/examples/k8s/postgres/README.md +++ b/examples/k8s/postgres/README.md @@ -27,7 +27,7 @@ failures and scalability. + **stateless** - To run the SPIRE server stateless (as in this example), the `UpstreamAuthority` plugin needs to be used. + **stateful** - To run the SPIRE server stateful, the directory specified in - `data_dir` must be persistent (such as in the [simple sat example](../simple_sat) + `data_dir` must be persistent (such as in the [simple sat example](../simple_sat)) where a StatefulSet and PersistentVolumeClaim are used. In this example deployment, the SPIRE server is stateless, using the example @@ -69,3 +69,8 @@ Start the agent DaemonSet: ``` $ kubectl apply -f spire-agent.yaml ``` + +## Test + +Simply run `./test.sh`, this script will start a cluster using [kind](https://kind.sigs.k8s.io/), deploy the postgres database, +spire server and agent, and run a simple test to verify the node attestation process. diff --git a/examples/k8s/postgres/spire-agent.yaml b/examples/k8s/postgres/spire-agent.yaml index e0d5653..7021d3c 100644 --- a/examples/k8s/postgres/spire-agent.yaml +++ b/examples/k8s/postgres/spire-agent.yaml @@ -1,3 +1,4 @@ +# Service account for the spire-agent apiVersion: v1 kind: ServiceAccount metadata: @@ -6,6 +7,7 @@ metadata: --- +# Config map for the spire-agent, which contains the agent configuration file and the trust bundle certificate apiVersion: v1 kind: ConfigMap metadata: @@ -73,6 +75,7 @@ data: --- +# Daemonset for spire-agent apiVersion: apps/v1 kind: DaemonSet metadata: diff --git a/examples/k8s/postgres/spire-database.yaml b/examples/k8s/postgres/spire-database.yaml index 5a384d4..18896b4 100644 --- a/examples/k8s/postgres/spire-database.yaml +++ b/examples/k8s/postgres/spire-database.yaml @@ -1,3 +1,4 @@ +# Create a namespace for the SPIRE Server and Agent apiVersion: v1 kind: Namespace metadata: @@ -5,6 +6,7 @@ metadata: --- +# Service account for the spire-database apiVersion: v1 kind: ServiceAccount metadata: @@ -13,6 +15,7 @@ metadata: --- +# StatefulSet for the spire-database apiVersion: apps/v1 kind: StatefulSet metadata: @@ -71,6 +74,7 @@ spec: --- +# Service for the spire-database, so that the spire-server can connect to it kind: Service apiVersion: v1 metadata: diff --git a/examples/k8s/postgres/spire-server.yaml b/examples/k8s/postgres/spire-server.yaml index 760a08b..d6dedf9 100644 --- a/examples/k8s/postgres/spire-server.yaml +++ b/examples/k8s/postgres/spire-server.yaml @@ -1,3 +1,4 @@ +# Service account for the spire-server apiVersion: v1 kind: ServiceAccount metadata: @@ -6,6 +7,36 @@ metadata: --- +# Create cluster role allowed to create resource "tokenreviews" in API group "authentication.k8s.io". +# This is required by the server to authenticate agents using [Token Review API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server +rules: + - apiGroups: [ "authentication.k8s.io" ] + resources: [ "tokenreviews" ] + verbs: [ "create" ] + +--- + +# Bind the spire-server service account to the role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spire-server +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire + +--- + +# Create the upstream authority private key apiVersion: v1 kind: Secret metadata: @@ -17,6 +48,7 @@ data: --- +# Config map for the spire-server, which contains the server configuration file apiVersion: v1 kind: ConfigMap metadata: @@ -50,7 +82,7 @@ data: plugin_data { clusters = { "demo-cluster" = { - service_account_key_file = "/run/k8s-certs/sa.pub" + use_token_review_api_validation = true service_account_allow_list = ["spire:spire-agent"] } } @@ -94,6 +126,7 @@ data: --- +# Deployment for the spire-server apiVersion: apps/v1 kind: Deployment metadata: @@ -133,9 +166,6 @@ spec: - name: spire-secrets mountPath: /run/spire/secrets readOnly: true - - name: k8s-sa-cert - mountPath: /run/k8s-certs/sa.pub - readOnly: true livenessProbe: httpGet: path: /live @@ -157,13 +187,10 @@ spec: - name: spire-secrets secret: secretName: spire-server - - name: k8s-sa-cert - hostPath: - path: /var/lib/minikube/certs/sa.pub - type: File --- +# Create the spire-server service binding to the spire-server deployment apiVersion: v1 kind: Service metadata: diff --git a/examples/k8s/postgres/test.sh b/examples/k8s/postgres/test.sh index 9805221..0e623ea 100755 --- a/examples/k8s/postgres/test.sh +++ b/examples/k8s/postgres/test.sh @@ -1,6 +1,6 @@ #!/bin/bash -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" bold=$(tput bold) || true norm=$(tput sgr0) || true @@ -9,35 +9,49 @@ green=$(tput setaf 2) || true yellow=$(tput setaf 3) || true fail() { - echo "${red}$*${norm}." - exit 1 + echo "${red}$*${norm}." + exit 1 +} + +create-cluster() { + if ! kind get clusters | grep demo-cluster; then + kind create cluster -n demo-cluster || fail "Failed to create cluster" + fi +} + +delete-cluster() { + if [ "${KEEP_CLUSTER:-0}" -eq 0 ]; then + kind delete cluster -n demo-cluster >/dev/null + fi } delete-ns() { - echo "${bold}Cleaning up...${norm}" - kubectl delete --ignore-not-found namespace spire > /dev/null + echo "${bold}Cleaning up...${norm}" + kubectl delete --ignore-not-found namespace spire >/dev/null } cleanup() { - if [ -z "${GOOD}" ]; then - echo "${yellow}Dumping statefulset/spire-database logs...${norm}" - kubectl -nspire logs statefulset/spire-database --all-containers - echo "${yellow}Dumping deployment/spire-server logs...${norm}" - kubectl -nspire logs deployment/spire-server --all-containers - echo "${yellow}Dumping daemonset/spire-agent logs...${norm}" - kubectl -nspire logs daemonset/spire-agent --all-containers - fi - delete-ns - if [ -n "${GOOD}" ]; then - echo "${green}Success.${norm}" - else - echo "${red}Failed.${norm}" - fi + delete-cluster + if [ -z "${GOOD}" ]; then + echo "${yellow}Dumping statefulset/spire-database logs...${norm}" + kubectl -nspire logs statefulset/spire-database --all-containers + echo "${yellow}Dumping deployment/spire-server logs...${norm}" + kubectl -nspire logs deployment/spire-server --all-containers + echo "${yellow}Dumping daemonset/spire-agent logs...${norm}" + kubectl -nspire logs daemonset/spire-agent --all-containers + fi + delete-ns + if [ -n "${GOOD}" ]; then + echo "${green}Success.${norm}" + else + echo "${red}Failed.${norm}" + fi } trap cleanup EXIT echo "${bold}Preparing environment...${norm}" +create-cluster delete-ns kubectl create namespace spire @@ -45,22 +59,22 @@ echo "${bold}Applying configuration...${norm}" kubectl apply -k "${DIR}" LOGLINE="Agent attestation request completed" -for ((i=0;i<120;i++)); do - if ! kubectl -nspire rollout status deployment/spire-server; then - sleep 1 - continue - fi - if ! kubectl -nspire rollout status daemonset/spire-agent; then - sleep 1 - continue - fi - if ! kubectl -nspire logs deployment/spire-server -c spire-server | grep -e "$LOGLINE" ; then - sleep 1 - continue - fi - echo "${bold}Node attested.${norm}" - GOOD=1 - exit 0 +for ((i = 0; i < 120; i++)); do + if ! kubectl -nspire rollout status deployment/spire-server; then + sleep 1 + continue + fi + if ! kubectl -nspire rollout status daemonset/spire-agent; then + sleep 1 + continue + fi + if ! kubectl -nspire logs deployment/spire-server -c spire-server | grep -e "$LOGLINE"; then + sleep 1 + continue + fi + echo "${bold}Node attested.${norm}" + GOOD=1 + exit 0 done echo "${red}Timed out waiting for node to attest.${norm}" diff --git a/examples/k8s/simple_psat/README.md b/examples/k8s/simple_psat/README.md index 9054aa5..bab06c5 100644 --- a/examples/k8s/simple_psat/README.md +++ b/examples/k8s/simple_psat/README.md @@ -8,27 +8,10 @@ This configuration is an example of a simple SPIRE 1.5.1 deployment for Kubernet Both SPIRE agent and server run in the **spire** namespace, using service accounts of **spire-server** and **spire-agent**. -Also RBAC authorization policies are set in order to guarantee access to certain API server resources. +Also, RBAC authorization policies are set in order to guarantee access to certain API server resources. ## Usage -### Configuration - -The following flags must be passed to the Kubernetes API server to properly run this PSAT attestor example: -+ `service-account-signing-key-file` -+ `service-account-key-file` -+ `service-account-issuer` -+ `service-account-api-audiences` - -If you are using minikube, make sure it is started as follows: -``` -minikube start --driver=virtualbox \ - --extra-config=apiserver.authorization-mode=Node,RBAC \ - --extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/sa.key \ - --extra-config=apiserver.service-account-key-file=/var/lib/minikube/certs/sa.pub \ - --extra-config=apiserver.service-account-issuer=api \ - --extra-config=apiserver.service-account-api-audiences=api,spire-server -``` ### Deployment @@ -45,3 +28,8 @@ $ kubectl apply -f spire-agent.yaml ``` The agent should automatically attest to SPIRE server. + +## Test + +Simply run `./test.sh`, this script will start a cluster using [kind](https://kind.sigs.k8s.io/), deploy spire server and +agent, and run a simple test to verify the node attestation process using PSAT NodeAttestor. diff --git a/examples/k8s/simple_psat/spire-agent.yaml b/examples/k8s/simple_psat/spire-agent.yaml index 2dab7e9..0b537bc 100644 --- a/examples/k8s/simple_psat/spire-agent.yaml +++ b/examples/k8s/simple_psat/spire-agent.yaml @@ -1,3 +1,4 @@ +# Service Account for spire-agent apiVersion: v1 kind: ServiceAccount metadata: @@ -34,6 +35,7 @@ roleRef: --- +# Config map for the spire-agent, which contains the agent configuration file and the trust bundle certificate apiVersion: v1 kind: ConfigMap metadata: @@ -101,6 +103,7 @@ data: --- +# DaemonSet for the spire-agent apiVersion: apps/v1 kind: DaemonSet metadata: diff --git a/examples/k8s/simple_psat/spire-server.yaml b/examples/k8s/simple_psat/spire-server.yaml index 8004407..e385ead 100644 --- a/examples/k8s/simple_psat/spire-server.yaml +++ b/examples/k8s/simple_psat/spire-server.yaml @@ -1,3 +1,4 @@ +# Create a namespace for spire-server apiVersion: v1 kind: Namespace metadata: @@ -5,6 +6,7 @@ metadata: --- +# Service account for the spire-server apiVersion: v1 kind: ServiceAccount metadata: @@ -44,6 +46,7 @@ roleRef: --- +# Create the upstream authority private key apiVersion: v1 kind: Secret metadata: @@ -55,6 +58,7 @@ data: --- +# Config map for the spire-server, which contains the server configuration file apiVersion: v1 kind: ConfigMap metadata: @@ -130,6 +134,7 @@ data: --- +# Stateful set for the spire-server apiVersion: apps/v1 kind: StatefulSet metadata: diff --git a/examples/k8s/simple_psat/test.sh b/examples/k8s/simple_psat/test.sh index 9bbc182..7932644 100755 --- a/examples/k8s/simple_psat/test.sh +++ b/examples/k8s/simple_psat/test.sh @@ -1,6 +1,6 @@ #!/bin/bash -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" bold=$(tput bold) || true norm=$(tput sgr0) || true @@ -9,33 +9,47 @@ green=$(tput setaf 2) || true yellow=$(tput setaf 3) || true fail() { - echo "${red}$*${norm}." - exit 1 + echo "${red}$*${norm}." + exit 1 +} + +create-cluster() { + if ! kind get clusters | grep demo-cluster; then + kind create cluster -n demo-cluster || fail "Failed to create cluster" + fi +} + +delete-cluster() { + if [ "${KEEP_CLUSTER:-0}" -eq 0 ]; then + kind delete cluster -n demo-cluster >/dev/null + fi } delete-ns() { - echo "${bold}Cleaning up...${norm}" - kubectl delete --ignore-not-found namespace spire > /dev/null + echo "${bold}Cleaning up...${norm}" + kubectl delete --ignore-not-found namespace spire >/dev/null } cleanup() { - if [ -z "${GOOD}" ]; then - echo "${yellow}Dumping statefulset/spire-server logs...${norm}" - kubectl -nspire logs statefulset/spire-server --all-containers - echo "${yellow}Dumping daemonset/spire-agent logs...${norm}" - kubectl -nspire logs daemonset/spire-agent --all-containers - fi - delete-ns - if [ -n "${GOOD}" ]; then - echo "${green}Success.${norm}" - else - echo "${red}Failed.${norm}" - fi + delete-cluster + if [ -z "${GOOD}" ]; then + echo "${yellow}Dumping statefulset/spire-server logs...${norm}" + kubectl -nspire logs statefulset/spire-server --all-containers + echo "${yellow}Dumping daemonset/spire-agent logs...${norm}" + kubectl -nspire logs daemonset/spire-agent --all-containers + fi + delete-ns + if [ -n "${GOOD}" ]; then + echo "${green}Success.${norm}" + else + echo "${red}Failed.${norm}" + fi } trap cleanup EXIT echo "${bold}Preparing environment...${norm}" +create-cluster delete-ns kubectl create namespace spire @@ -43,22 +57,22 @@ echo "${bold}Applying configuration...${norm}" kubectl apply -k "${DIR}" LOGLINE="Agent attestation request completed" -for ((i=0;i<120;i++)); do - if ! kubectl -nspire rollout status statefulset/spire-server; then - sleep 1 - continue - fi - if ! kubectl -nspire rollout status daemonset/spire-agent; then - sleep 1 - continue - fi - if ! kubectl -nspire logs statefulset/spire-server -c spire-server | grep -e "$LOGLINE" ; then - sleep 1 - continue - fi - echo "${bold}Node attested.${norm}" - GOOD=1 - exit 0 +for ((i = 0; i < 120; i++)); do + if ! kubectl -nspire rollout status statefulset/spire-server; then + sleep 1 + continue + fi + if ! kubectl -nspire rollout status daemonset/spire-agent; then + sleep 1 + continue + fi + if ! kubectl -nspire logs statefulset/spire-server -c spire-server | grep -e "$LOGLINE"; then + sleep 1 + continue + fi + echo "${bold}Node attested.${norm}" + GOOD=1 + exit 0 done echo "${red}Timed out waiting for node to attest.${norm}" diff --git a/examples/k8s/simple_sat/README.md b/examples/k8s/simple_sat/README.md index 0e38907..95783f5 100644 --- a/examples/k8s/simple_sat/README.md +++ b/examples/k8s/simple_sat/README.md @@ -31,3 +31,9 @@ Start the agent DaemonSet: ``` $ kubectl apply -f spire-agent.yaml ``` + +## Test + +Simply run `./test.sh`, this script will start a cluster using [kind](https://kind.sigs.k8s.io/), deploy spire server and +agent, and run a simple test to verify the node attestation process using SAT NodeAttestor. + diff --git a/examples/k8s/simple_sat/spire-agent.yaml b/examples/k8s/simple_sat/spire-agent.yaml index e0d5653..2edf2b3 100644 --- a/examples/k8s/simple_sat/spire-agent.yaml +++ b/examples/k8s/simple_sat/spire-agent.yaml @@ -1,3 +1,4 @@ +# Service account for the spire-agent apiVersion: v1 kind: ServiceAccount metadata: @@ -6,6 +7,7 @@ metadata: --- +# Config map for the spire-agent, which contains the agent configuration file and the trust bundle certificate apiVersion: v1 kind: ConfigMap metadata: @@ -73,6 +75,7 @@ data: --- +# Daemonset for spire-agent apiVersion: apps/v1 kind: DaemonSet metadata: @@ -100,11 +103,11 @@ spec: # you prefer that waits for a service to be up. This image is built # from https://github.com/lqhl/wait-for-it image: gcr.io/spiffe-io/wait-for-it - args: ["-t", "30", "spire-server:8081"] + args: [ "-t", "30", "spire-server:8081" ] containers: - name: spire-agent image: ghcr.io/spiffe/spire-agent:1.5.1 - args: ["-config", "/run/spire/config/agent.conf"] + args: [ "-config", "/run/spire/config/agent.conf" ] volumeMounts: - name: spire-config mountPath: /run/spire/config diff --git a/examples/k8s/simple_sat/spire-server.yaml b/examples/k8s/simple_sat/spire-server.yaml index ddb8842..652f455 100644 --- a/examples/k8s/simple_sat/spire-server.yaml +++ b/examples/k8s/simple_sat/spire-server.yaml @@ -1,3 +1,4 @@ +# Create the spire namespace apiVersion: v1 kind: Namespace metadata: @@ -5,6 +6,7 @@ metadata: --- +# Service account for the spire-server apiVersion: v1 kind: ServiceAccount metadata: @@ -13,6 +15,36 @@ metadata: --- +# Cluster role allowed to create resource "tokenreviews" in API group "authentication.k8s.io". +# This is required by the spire-server to authenticate agents using [Token Review API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: spire-server +rules: + - apiGroups: [ "authentication.k8s.io" ] + resources: [ "tokenreviews" ] + verbs: [ "create" ] + +--- + +# Bind the spire-server service account to the role created above +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: spire-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: spire-server +subjects: + - kind: ServiceAccount + name: spire-server + namespace: spire + +--- + +# Create the upstream authority private key apiVersion: v1 kind: Secret metadata: @@ -24,6 +56,7 @@ data: --- +# Config map for the spire-server, which contains the server configuration file apiVersion: v1 kind: ConfigMap metadata: @@ -56,7 +89,7 @@ data: plugin_data { clusters = { "demo-cluster" = { - service_account_key_file = "/run/k8s-certs/sa.pub" + use_token_review_api_validation = true service_account_allow_list = ["spire:spire-agent"] } } @@ -100,6 +133,7 @@ data: --- +# Create the spire-server stateful set apiVersion: apps/v1 kind: StatefulSet metadata: @@ -123,7 +157,7 @@ spec: containers: - name: spire-server image: ghcr.io/spiffe/spire-server:1.5.1 - args: ["-config", "/run/spire/config/server.conf"] + args: [ "-config", "/run/spire/config/server.conf" ] ports: - containerPort: 8081 volumeMounts: @@ -136,9 +170,6 @@ spec: - name: spire-data mountPath: /run/spire/data readOnly: false - - name: k8s-sa-cert - mountPath: /run/k8s-certs/sa.pub - readOnly: true livenessProbe: httpGet: path: /live @@ -160,10 +191,6 @@ spec: - name: spire-secrets secret: secretName: spire-server - - name: k8s-sa-cert - hostPath: - path: /var/lib/minikube/certs/sa.pub - type: File volumeClaimTemplates: - metadata: name: spire-data @@ -177,6 +204,7 @@ spec: --- +# Create the spire-server service binding to the spire-server stateful set apiVersion: v1 kind: Service metadata: diff --git a/examples/k8s/simple_sat/test.sh b/examples/k8s/simple_sat/test.sh index 9bbc182..55dbfd4 100755 --- a/examples/k8s/simple_sat/test.sh +++ b/examples/k8s/simple_sat/test.sh @@ -1,6 +1,6 @@ #!/bin/bash -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" bold=$(tput bold) || true norm=$(tput sgr0) || true @@ -9,33 +9,46 @@ green=$(tput setaf 2) || true yellow=$(tput setaf 3) || true fail() { - echo "${red}$*${norm}." - exit 1 + echo "${red}$*${norm}." + exit 1 +} + +create-cluster() { + if ! kind get clusters | grep demo-cluster; then + kind create cluster -n demo-cluster || fail "Failed to create cluster" + fi +} + +delete-cluster() { + if [ "${KEEP_CLUSTER:-0}" -eq 0 ]; then + kind delete cluster -n demo-cluster >/dev/null + fi } delete-ns() { - echo "${bold}Cleaning up...${norm}" - kubectl delete --ignore-not-found namespace spire > /dev/null + echo "${bold}Cleaning up...${norm}" } cleanup() { - if [ -z "${GOOD}" ]; then - echo "${yellow}Dumping statefulset/spire-server logs...${norm}" - kubectl -nspire logs statefulset/spire-server --all-containers - echo "${yellow}Dumping daemonset/spire-agent logs...${norm}" - kubectl -nspire logs daemonset/spire-agent --all-containers - fi - delete-ns - if [ -n "${GOOD}" ]; then - echo "${green}Success.${norm}" - else - echo "${red}Failed.${norm}" - fi + delete-cluster + if [ -z "${GOOD}" ]; then + echo "${yellow}Dumping statefulset/spire-server logs...${norm}" + kubectl -nspire logs statefulset/spire-server --all-containers + echo "${yellow}Dumping daemonset/spire-agent logs...${norm}" + kubectl -nspire logs daemonset/spire-agent --all-containers + fi + delete-ns + if [ -n "${GOOD}" ]; then + echo "${green}Success.${norm}" + else + echo "${red}Failed.${norm}" + fi } trap cleanup EXIT echo "${bold}Preparing environment...${norm}" +create-cluster delete-ns kubectl create namespace spire @@ -43,22 +56,22 @@ echo "${bold}Applying configuration...${norm}" kubectl apply -k "${DIR}" LOGLINE="Agent attestation request completed" -for ((i=0;i<120;i++)); do - if ! kubectl -nspire rollout status statefulset/spire-server; then - sleep 1 - continue - fi - if ! kubectl -nspire rollout status daemonset/spire-agent; then - sleep 1 - continue - fi - if ! kubectl -nspire logs statefulset/spire-server -c spire-server | grep -e "$LOGLINE" ; then - sleep 1 - continue - fi - echo "${bold}Node attested.${norm}" - GOOD=1 - exit 0 +for ((i = 0; i < 120; i++)); do + if ! kubectl -nspire rollout status statefulset/spire-server; then + sleep 1 + continue + fi + if ! kubectl -nspire rollout status daemonset/spire-agent; then + sleep 1 + continue + fi + if ! kubectl -nspire logs statefulset/spire-server -c spire-server | grep -e "$LOGLINE"; then + sleep 1 + continue + fi + echo "${bold}Node attested.${norm}" + GOOD=1 + exit 0 done echo "${red}Timed out waiting for node to attest.${norm}" diff --git a/examples/k8s/test-all.sh b/examples/k8s/test-all.sh index 848379b..390740e 100755 --- a/examples/k8s/test-all.sh +++ b/examples/k8s/test-all.sh @@ -1,6 +1,6 @@ #!/bin/bash -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" bold=$(tput bold) || true norm=$(tput sgr0) || true @@ -8,31 +8,36 @@ red=$(tput setaf 1) || true green=$(tput setaf 2) || true fail() { - echo "${red}$*${norm}." - exit 1 + echo "${red}$*${norm}." + exit 1 } echo "${bold}Checking for kubectl...${norm}" -command -v kubectl > /dev/null || fail "kubectl is required." +command -v kubectl >/dev/null || fail "kubectl is required." -echo "${bold}Checking minikube status...${norm}" -minikube status || fail "minikube isn't running" +echo "${bold}Checking kind status...${norm}" +if ! kind get clusters | grep demo-cluster; then + kind create cluster -n demo-cluster || fail "Failed to create cluster" +fi echo "${bold}Running all tests...${norm}" for testdir in "${DIR}"/*; do - if [[ -x "${testdir}/test.sh" ]]; then - testname=$(basename "$testdir") - echo "${bold}Running \"$testname\" test...${norm}" - if ${testdir}/test.sh; then - echo "${green}\"$testname\" test succeeded${norm}" - else - echo "${red}\"$testname\" test failed${norm}" - FAILED=true - fi - fi + if [[ -x "${testdir}/test.sh" ]]; then + testname=$(basename "$testdir") + echo "${bold}Running \"$testname\" test...${norm}" + if KEEP_CLUSTER=1 ${testdir}/test.sh; then + echo "${green}\"$testname\" test succeeded${norm}" + else + echo "${red}\"$testname\" test failed${norm}" + FAILED=true + fi + fi done +echo "${bold}Deleting cluster...${norm}" +kind delete cluster -n demo-cluster >/dev/null + if [ -n "${FAILED}" ]; then - fail "There were test failures" + fail "There were test failures" fi echo "${bold}Done.${norm}" From 68bcbdb96e487affb31b6c12c0268005fa070eea Mon Sep 17 00:00:00 2001 From: Guilherme Carvalho Date: Wed, 8 Mar 2023 10:27:12 -0300 Subject: [PATCH 2/2] Fix typos and add deprecation note on k8s_workload_registrar example Signed-off-by: Guilherme Carvalho --- README.md | 2 +- examples/envoy/README.md | 2 +- examples/k8s/advanced/README.md | 7 ++++++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5400c8c..4a6ff7b 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Hello, and welcome to SPIRE examples! -This repository houses various SPIFFE/SPIRE deployment and integration examples. All examples are self contained, and come with instructions on how to use them. +This repository houses various SPIFFE/SPIRE deployment and integration examples. All examples are self-contained, and come with instructions on how to use them. The SPIRE project is growing rapidly, and new features are released often. In order to ensure the accuracy of accompanying documentation, each example is written against a specific version of SPIRE. All examples are regularly tested against the stated SPIRE version, but are likely to work with newer versions as well. diff --git a/examples/envoy/README.md b/examples/envoy/README.md index 372cb05..09cf34d 100644 --- a/examples/envoy/README.md +++ b/examples/envoy/README.md @@ -43,7 +43,7 @@ Open up a browser to http://localhost:8080 to test out: - mTLS connection between Web and Echo servers via Envoy - TLS connection between Web and Echo servers via Envoy -**NOTE** It may take a 30 seconds or so for Envoy to reconnect to upstream +**NOTE** It may take 30 seconds or so for Envoy to reconnect to upstream after the registration entries are created. ## Clean up diff --git a/examples/k8s/advanced/README.md b/examples/k8s/advanced/README.md index dc5d0a9..d3c405d 100644 --- a/examples/k8s/advanced/README.md +++ b/examples/k8s/advanced/README.md @@ -9,4 +9,9 @@ The Kubernetes cluster is running SPIRE and spiffe-helper, and spiffe-helper is to push certificates into a Postgres database for authentication. Because spiffe-helper has to be inside the same image as the Postgres server, these scripts -create a new image containg Postgres and spiffe-helper. +create a new image containing Postgres and spiffe-helper. + + +> **Deprecation Note** +> k8s-workload-registrar is deprecated, we recommend using the [spire-controller-manager](https://github.com/spiffe/spire-controller-manager), +> which is a Kubernetes controller used to manage registration entries and federation. A demo can be found [here](https://github.com/spiffe/spire-controller-manager/tree/main/demo)