Skip to main content

Deploy SPIRL Trust Domain Servers

You'll use SPIRL's Helm chart to deploy Trust Domain servers in your Kubernetes cluster.

Here is an example of the Helm chart values.yaml file. You should adjust it to your needs.

# SPIRL Trust Domain Server Settings

trustDomainDeployment:
  # Trust domain and ID come from the "spirlctl trust-domain register" command.
  # You can always find them again using "spirlctl trust-domain list".
  trustDomainName: "spirl.example.com"
  trustDomainID: "td-diok4t8ahq"

  # The trust domain deployment ID is generated from the 
  # "spirlctl trust-domain deployment create" command. You can always find them again
  # using "spirlctl trust-domain deployment list".
  id: "tdd-nnlo6k3t3o"

  # The "name" corresponds to the value passed to
  # "spirlctl trust-domain deployment create" during deployment creation. You can always
  # find it again using "spirlctl trust-domain deployment list".
  name: "us-west-2"

controlPlane:
  auth:
    key:
      # Trust Domain Key ID from "spirlctl trust-domain register" command output
      id: "tdk-jj6lzk6pep"
      # Private Key from "spirlctl trust-domain key create" command output
      pem: |
        -----BEGIN PRIVATE KEY-----
        MC4CAQAwBQYDK2VwBCIEIOeg6Cet10sqNY0dPHV3MXKNyxGgrmKeMN0PZKGS+6iB
        -----END PRIVATE KEY-----

Setting up a Load Balancer to the SPIRL Trust Domain Server​

To connect the SPIRL Agents to the SPIRL Trust Domain Server you will need to setup a domain name for the agent endpoint on the Trust Domain Servers. It is recommended to setup a Load Balancer for this endpoint to ensure resiliency of the Trust Domain Server.

Before getting started you will need a certificate for the agent endpoint domain name.

Application Load Balancer​

You can setup a Kubernetes Ingress with a Load Balancer by enabling the ingress in the Helm Chart values.

Below is an example configuration that sets up an AWS Application Load Balancer:

trustDomainDeployment:
  ingress:
    enabled: true
    annotations:
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/backend-protocol: HTTP
      alb.ingress.kubernetes.io/backend-protocol-version: GRPC
      alb.ingress.kubernetes.io/certificate-arn: <YOUR-CERT-ARN>
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
      alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
      alb.ingress.kubernetes.io/success-codes: "0-99"
      alb.ingress.kubernetes.io/target-group-attributes: load_balancing.algorithm.type=least_outstanding_requests
      alb.ingress.kubernetes.io/healthcheck-path: /grpc.health.v1.Health/Check
    hosts:
      - host: <YOUR-CERT-DOMAIN-NAME>
        paths:
          - path: /
            pathType: Prefix
    className: alb

Replace the host with a domain name that you own and add the ARN to the certificate for that domain name.

Once the Trust Domain Server has been deployed, get the address of the Ingress:

kubectl get ingress tdd-<TDD_ID>-spirl-server-agent -n tdd-<TDD_ID>

Create a DNS record (Route53, Cloudflare) with your DNS provider to point your agent endpoint domain name to the Ingress address.

Network Load Balancer​

To setup an AWS Network Load Balancer you can modify the Kubernetes service for the Trust Domain Server using the Helm Chart Values.

trustDomainDeployment:
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
      service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
      # TLS termination at NLB
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <YOUR-CERT-ARN>
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
    port: 443
    type: LoadBalancer

Add the ARN to the certificate for the domain name you will use for the agent endpoint.

Note that this will set up an NLB with TLS termination meaning that the connection from the agent to the NLB will use TLS, but the connection from the NLB to the server will be unencrypted.

Once the Trust Domain Server has been deployed, get the "EXTERNAL-IP" of the service:

kubectl get services tdd-<TDD_ID>-spirl-server-agent -n tdd-<TDD_ID>

Create a DNS record (Route53, Cloudflare) with your DNS provider to point your agent endpoint domain name to the "EXTERNAL-IP" address of the service.

Testing the Agent Endpoint​

Once you have setup a Load Balancer for the agent endpoint, you can test it using grpcurl

$ grpcurl <agent-endpoint>:443 grpc.health.v1.Health/Check

If everything is setup correctly you should see a response like:

{
  "status": "SERVING"
}

Download the latest SPIRL Trust Domain Server Helm Chart​

You can download the latest version of the Helm chart by running the following command.

helm pull oci://ghcr.io/spirl/charts/spirl-server -d .

Deploy SPIRL Trust Domain Servers​

You can deploy SPIRL Trust Domain Servers using the following command. Note that:

  1. The --namespace value must contain the trustDomainDeploymentID defined in values.yaml
  2. The helm RELEASE argument must equal the trustDomainDeployment.id defined in values.yaml
helm upgrade --install --namespace $YOUR_TD_DEPLOYMENT_ID-example \
--create-namespace \
--values ./values.yaml \
$YOUR_TD_DEPLOYMENT_ID ./spirl-server-0.27.1.tgz

The command should produce output similar to the following:

Release "tdd-nnlo6k3t3o" does not exist. Installing it now.
NAME: tdd-nnlo6k3t3o
LAST DEPLOYED: Tue Dec 19 08:28:26 2023
NAMESPACE: tdd-nnlo6k3t3o-example
STATUS: deployed
REVISION: 1
TEST SUITE: None