istio.io/istio@v0.0.0-20240520182934-d79c90f27776/samples/security/spire/README.md

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/samples/security/spire/README.md (about)

     1  # Integrating SPIRE as a CA through Envoy's SDS API
     2  
     3  This sample deploys a setup of [SPIRE](https://github.com/spiffe/spire) (the SPIFFE Runtime Environment) as an example of integrating with [Envoy's SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) API. For more information
     4  on the SPIFFE specs, refer to the [SPIFFE Overview](https://spiffe.io/docs/latest/spiffe-about/overview/).
     5  
     6  Once SPIRE is deployed and integrated with Istio, this sample deploys a modified version of the [sleep](/samples/sleep/README.md) service and validates that its [identity](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-verifiable-identity-document-svid) was issued by SPIRE. Workload registration is handled by the [SPIRE Controller Manager](https://github.com/spiffe/spire-controller-manager).
     7  
     8  See [Istio CA Integration with SPIRE](https://istio.io/latest/docs/ops/integrations/spire) for further details about this integration.
     9  
    10  ## Deploy the integration
    11  
    12  1. Deploy SPIRE. For proper socket injection, this **must** be done prior to installing Istio in your cluster:
    13  
    14    ```bash
    15    $ kubectl apply -f spire-quickstart.yaml
    16    ```
    17  
    18  1. Ensure that the deployment is completed before moving to the next step. This can be verified by waiting on the `spire-agent` pod to become ready:
    19  
    20    ```bash
    21    $ kubectl wait pod --for=condition=ready -n spire -l app=spire-agent
    22    ```
    23  
    24  1. Use the configuration profile provided to install Istio (requires istioctl v1.14+):
    25  
    26    ```bash
    27    $ istioctl install -f istio-spire-config.yaml
    28    ```
    29  
    30  1. Create a ClusterSPIFFEID to create a registration entry for all workloads with the `spiffe.io/spire-managed-identity: true` label:
    31  
    32    ```bash
    33    $ kubectl apply -f clusterspiffeid.yaml
    34    ```
    35  
    36  1. Add the `spiffe.io/spire-managed-identity: true` label to the Ingress-gateway Deployment:
    37  
    38    ```bash
    39    $ kubectl patch deployment istio-ingressgateway -n istio-system -p '{"spec":{"template":{"metadata":{"labels":{"spiffe.io/spire-managed-identity": "true"}}}}}'
    40    ```
    41  
    42  1. Deploy the `sleep-spire.yaml` version of the [sleep](/samples/sleep/README.md) service, which injects the custom istio-agent template defined in `istio-spire-config.yaml` and has the `spiffe.io/spire-managed-identity: true` label.
    43  
    44    If you have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) enabled:
    45  
    46    ```bash
    47    $ kubectl apply -f sleep-spire.yaml
    48    ```
    49  
    50    Otherwise, manually inject the sidecar before applying:
    51  
    52    ```bash
    53    $ kubectl apply -f <(istioctl kube-inject -f sleep-spire.yaml)
    54    ```
    55  
    56  1. Retrieve sleep's SVID identity document using the `istioctl proxy-config secret` command:
    57  
    58    ```bash
    59    $ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}")
    60    $ istioctl pc secret $SLEEP_POD -o json | jq -r \
    61    '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode > chain.pem
    62    ```
    63  
    64  1. Inspect the certificate content and verify that SPIRE was the issuer:
    65  
    66    ```bash
    67    $ openssl x509 -in chain.pem -text | grep SPIRE
    68        Subject: C = US, O = SPIRE, CN = sleep-5d6df95bbf-kt2tt
    69    ```
    70  
    71  ## Tear down
    72  
    73  1.  Delete all deployments and configurations for the SPIRE Agent, Server, and namespace:
    74  
    75    ```bash
    76    $ kubectl delete namespace spire
    77    ```
    78  
    79  1.  Delete the ClusterRole, ClusterRoleBinding, Role, RoleBindings, ValidatingWebhookConfiguration, CSIDriver, and CustomResourceDefinition:
    80  
    81    ```bash
    82    $ kubectl delete clusterrole spire-server-cluster-role spire-agent-cluster-role manager-role
    83    $ kubectl delete clusterrolebinding spire-server-cluster-role-binding spire-agent-cluster-role-binding manager-role-binding
    84    $ kubectl delete role spire-server-role leader-election-role
    85    $ kubectl delete rolebinding spire-server-role-binding leader-election-role-binding
    86    $ kubectl delete ValidatingWebhookConfiguration spire-controller-manager-webhook
    87    $ kubectl delete csidriver csi.spiffe.io
    88    $ kubectl delete CustomResourceDefinition clusterspiffeids.spire.spiffe.io
    89    $ kubectl delete CustomResourceDefinition clusterfederatedtrustdomains.spire.spiffe.io
    90    ```