github.com/cilium/cilium@v1.16.2/Documentation/network/servicemesh/mutual-authentication/installation.rst (about)

     1  Prerequisites
     2  #############
     3  
     4  * Mutual authentication is only currently supported with SPIFFE APIs for certificate management.
     5  * The Cilium Helm chart includes an option to deploy a SPIRE server for mutual authentication. You may also deploy your own SPIRE server and configure Cilium to use it.
     6  
     7  Installation
     8  ############
     9  
    10  .. Note::
    11  
    12      The default installation requires `PersistentVolumeClaim <https://kubernetes.io/docs/concepts/storage/persistent-volumes/>`_
    13      support in the cluster, so please check with your cluster provider if it's supported or how to enable it.
    14  
    15      For lab or local cluster, you can switch to in-memory storage by passing ``authentication.mutual.spire.install.server.dataStorage.enabled=false``
    16      to the installation command, at the cost of re-creating all data when the SPIRE server pod is restarted.
    17  
    18  
    19  .. tabs::
    20  
    21      .. group-tab:: Cilium CLI
    22  
    23          .. include:: ../../../installation/cli-download.rst
    24  
    25          You can enable mutual authentication and its associated SPIRE server with the following command.
    26          This command requires the Cilium CLI Helm mode version 0.15 or later.
    27  
    28          .. code-block:: shell-session
    29  
    30              $ cilium install \
    31                  --set authentication.mutual.spire.enabled=true \
    32                  --set authentication.mutual.spire.install.enabled=true
    33  
    34          Next, you can check the status of the Cilium agent and operator:
    35  
    36          .. code-block:: shell-session
    37  
    38              $ cilium status
    39  
    40      .. group-tab:: Helm
    41  
    42          The Cilium Helm chart includes an option to deploy SPIRE server for mutual authentication.
    43          You may also deploy your own SPIRE server and configure Cilium to use it.
    44          Please refer to :ref:`k8s_install_helm` for a fresh installation.
    45  
    46          .. parsed-literal::
    47  
    48              $ helm install cilium |CHART_RELEASE| \\
    49                  --namespace kube-system \\
    50                  --set authentication.mutual.spire.enabled=true \\
    51                  --set authentication.mutual.spire.install.enabled=true
    52  
    53              $ kubectl -n kube-system rollout restart deployment/cilium-operator
    54              $ kubectl -n kube-system rollout restart ds/cilium
    55  
    56          Next, you can check the status of the Cilium agent and operator:
    57  
    58          .. code-block:: shell-session
    59  
    60              $ cilium status
    61  
    62          .. include:: ../../../installation/cli-download.rst