Deploy SPIRL Trust Domain Servers
You'll use SPIRL's Helm chart to deploy Trust Domain servers in your Kubernetes cluster.
Here is an example of the Helm chart values.yaml file. You should adjust it
to your needs.
# SPIRL Trust Domain Server Settings
trustDomainDeployment:
# Trust domain and ID come from the "spirlctl trust-domain register" command.
# You can always find them again using "spirlctl trust-domain list".
trustDomainName: "spirl.example.com"
trustDomainID: "td-diok4t8ahq"
# The trust domain deployment ID is generated from the
# "spirlctl trust-domain deployment create" command.
# You can always find them again using "spirlctl trust-domain deployment list".
id: "tdd-nnlo6k3t3o"
# The "name" corresponds to the value passed to
# "spirlctl trust-domain deployment create" during deployment creation.
# You can always find it again using "spirlctl trust-domain deployment list".
name: "us-west-2"
controlPlane:
auth:
key:
# Trust Domain Key ID from "spirlctl trust-domain register" command output
id: "tdk-jj6lzk6pep"
# Private Key from "spirlctl trust-domain key create" command output
pem: |
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIOeg6Cet10sqNY0dPHV3MXKNyxGgrmKeMN0PZKGS+6iB
-----END PRIVATE KEY-----
Setting up a Load Balancer to the Defakto Trust Domain Serverβ
To connect the Defakto Agents to the Trust Domain Server you will need to set up a domain name for the agent endpoint on the Trust Domain Servers.
Since the Agents use default system trust store to verify TLS certificates, we recommend setting up a Load Balancer for this endpoint. This will also ensure resiliency of the Trust Domain Server.
Before getting started you will need a certificate for the agent endpoint domain name.
Application Load Balancerβ
You can setup a Kubernetes Ingress with a Load Balancer by enabling the ingress in the Helm Chart values.
Below is an example configuration that sets up an AWS Application Load Balancer:
trustDomainDeployment:
ingress:
enabled: true
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/backend-protocol: HTTP
alb.ingress.kubernetes.io/backend-protocol-version: GRPC
alb.ingress.kubernetes.io/certificate-arn: <YOUR-CERT-ARN>
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
alb.ingress.kubernetes.io/success-codes: "0-99"
alb.ingress.kubernetes.io/target-group-attributes: load_balancing.algorithm.type=least_outstanding_requests
alb.ingress.kubernetes.io/healthcheck-path: /grpc.health.v1.Health/Check
hosts:
- host: <YOUR-CERT-DOMAIN-NAME>
paths:
- path: /
pathType: Prefix
className: alb
Replace the host with a domain name that you own and add the ARN to the certificate for that domain name.
Once the Trust Domain Server has been deployed, get the address of the Ingress:
kubectl get ingress tdd-<TDD_ID>-spirl-server-agent -n tdd-<TDD_ID>
Create a DNS record (Route53, Cloudflare) with your DNS provider to point your agent endpoint domain name to the Ingress address.
Network Load Balancerβ
To setup an AWS Network Load Balancer you can modify the Kubernetes service for the Trust Domain Server using the Helm Chart Values.
trustDomainDeployment:
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
# TLS termination at NLB
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <YOUR-CERT-ARN>
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
port: 443
type: LoadBalancer
Add the ARN to the certificate for the domain name you will use for the agent endpoint.
Note that this will set up an NLB with TLS termination meaning that the connection from the agent to the NLB will use TLS, but the connection from the NLB to the server will be unencrypted.
Once the Trust Domain Server has been deployed, get the "EXTERNAL-IP" of the service:
kubectl get services tdd-<TDD_ID>-spirl-server-agent -n tdd-<TDD_ID>
Create a DNS record (Route53, Cloudflare) with your DNS provider to point your agent endpoint domain name to the "EXTERNAL-IP" address of the service.
Testing the Agent Endpointβ
Once you have setup a Load Balancer for the agent endpoint, you can test it using grpcurl
$ grpcurl <agent-endpoint>:443 grpc.health.v1.Health/Check
If everything is setup correctly you should see a response like:
{
"status": "SERVING"
}
Download the latest SPIRL Trust Domain Server Helm Chartβ
You can download the latest version of the Helm chart by running the following command.
helm pull oci://ghcr.io/spirl/charts/spirl-server -d .
Deploy SPIRL Trust Domain Serversβ
You can deploy SPIRL Trust Domain Servers using the following command. Note that:
- The
--namespacevalue must contain thetrustDomainDeploymentIDdefined invalues.yaml - The helm
RELEASEargument must equal thetrustDomainDeployment.iddefined invalues.yaml
helm upgrade --install --namespace $YOUR_TD_DEPLOYMENT_ID-example \
--create-namespace \
--values ./values.yaml \
$YOUR_TD_DEPLOYMENT_ID ./spirl-server-0.29.0.tgzThe command should produce output similar to the following:
Release "tdd-nnlo6k3t3o" does not exist. Installing it now.
NAME: tdd-nnlo6k3t3o
LAST DEPLOYED: Tue Dec 19 08:28:26 2023
NAMESPACE: tdd-nnlo6k3t3o-example
STATUS: deployed
REVISION: 1
TEST SUITE: None
Helm Values Referenceβ
This section provides a comprehensive reference for all configuration options available in the SPIRL Trust Domain Server Helm chart. These values can be used to customize your SPIRL Trust Domain Server deployment to meet specific requirements.
Images Configurationβ
images.repository: Base repository for all images (default:"ghcr.io/spirl")images.pullPolicy: Image pull policy (default:"IfNotPresent")images.pullSecrets: Array of image pull secrets (default:[])images.pullCredentials: Array of registries and corresponding secrets in the formbase64("username:password"). The array will be used to generate a dockerconfigjson secret that will be used as an imagePullSecret (default:[])images.trustDomainDeployment.name: Trust Domain Server image name (default:"spirl-server")images.trustDomainDeployment.tag: Trust Domain Server image tag (default: Chart appVersion)images.trustDomainDeployment.repository: Trust Domain Server-specific repository (optional)images.firefly.name: Firefly integration image name (default:"firefly")images.firefly.tag: Firefly image tag (default:"v1.9.1")images.firefly.repository: Firefly-specific repository (default:"registry.venafi.cloud/public/venafi-images")
Trust Domain Deployment Configurationβ
Basic Configurationβ
trustDomainDeployment.trustDomainName: Name of the trust domain (e.g.,"spirl.example.com")trustDomainDeployment.trustDomainID: ID of the trust domain from registration (e.g.,"td-diok4t8ahq")trustDomainDeployment.id: Deployment ID generated during deployment creation (e.g.,"tdd-nnlo6k3t3o")trustDomainDeployment.name: Deployment name specified during creation (e.g.,"us-west-2")trustDomainDeployment.maxUnavailable: Maximum number of unavailable instances in pod disruption budget (default:1)
Deployment Configurationβ
trustDomainDeployment.deployment.replicaCount: Number of replicas (default:1)trustDomainDeployment.deployment.env: Map of environment variables (default:{"SPIRL_ENV": "prod"})trustDomainDeployment.deployment.additionalArgs: Array of additional command-line arguments (default:[])trustDomainDeployment.deployment.additionalVolumes: Array of additional volumes (default:[])trustDomainDeployment.deployment.additionalVolumeMounts: Array of additional volume mounts (default:[])trustDomainDeployment.deployment.additionalContainers: Array of additional sidecar containers (default:[])trustDomainDeployment.deployment.annotations: Map of pod annotations (default:{})trustDomainDeployment.deployment.nodeSelector: Map of node selector labels (default:{})trustDomainDeployment.deployment.additionalLabels: Map of additional pod labels (default:{})trustDomainDeployment.deployment.resources: Resource requests and limitstrustDomainDeployment.deployment.affinity: Node affinity rulestrustDomainDeployment.deployment.topologySpreadConstraints: Array of topology spread constraints (default:[])trustDomainDeployment.deployment.tolerations: Array of node tolerations (default:[])trustDomainDeployment.deployment.drainDuration: Duration to leave listening servers up during shutdown to allow load balancer draining (default:"10s")trustDomainDeployment.deployment.strategy: Deployment strategy configuration for rolling updates
Extension Configurationβ
trustDomainDeployment.deployment.extension.webhookUrl: Webhook URL for the extension servicetrustDomainDeployment.deployment.extension.timeout: Timeout for extension calls (optional)trustDomainDeployment.deployment.extension.invokeForClusterIds: Array of cluster IDs for which the extension should be invoked (default:[])trustDomainDeployment.deployment.extension.webhookCaCert: CA certificate to validate the extension webhook's TLS certificate (optional)trustDomainDeployment.deployment.extension.authenticationType: Authentication type for extension webhooks (values:NONE,BEARER)trustDomainDeployment.deployment.extension.token: Token for BEARER authentication (default:"/var/run/secrets/kubernetes.io/serviceaccount/token")
Horizontal Pod Autoscaler Configurationβ
trustDomainDeployment.deployment.hpa.enabled: Enable horizontal pod autoscaling (default:false)trustDomainDeployment.deployment.hpa.minReplicas: Minimum number of replicas (default:1)trustDomainDeployment.deployment.hpa.maxReplicas: Maximum number of replicas (default:7)trustDomainDeployment.deployment.hpa.targetCPUUtilizationPercentage: Target CPU utilization percentage (default:50)trustDomainDeployment.deployment.hpa.behavior: HPA behavior configuration
Jobs Configurationβ
trustDomainDeployment.jobs.annotations: Map of annotations for job pods (default:{})
Service Account Configurationβ
trustDomainDeployment.serviceAccount.create: Create service account (default:true)trustDomainDeployment.serviceAccount.createRoles: Create roles for the service account (default:false)trustDomainDeployment.serviceAccount.name: Service account name (auto-generated if not specified)trustDomainDeployment.serviceAccount.annotations: Map of service account annotations (default:{})
Service Configurationβ
trustDomainDeployment.service.type: Kubernetes service type (default:"ClusterIP")trustDomainDeployment.service.port: Service port number (default:80)trustDomainDeployment.service.annotations: Map of service annotations (default:{})
Ingress Configurationβ
trustDomainDeployment.ingress.enabled: Enable ingress (default:false)trustDomainDeployment.ingress.className: Ingress class nametrustDomainDeployment.ingress.hosts: Array of host configurationstrustDomainDeployment.ingress.hosts[].host: Host nametrustDomainDeployment.ingress.hosts[].paths: Array of path configurationstrustDomainDeployment.ingress.hosts[].paths[].path: URL pathtrustDomainDeployment.ingress.hosts[].paths[].pathType: Path type (e.g.,"Prefix")
trustDomainDeployment.ingress.tls: Array of TLS configurationstrustDomainDeployment.ingress.tls[].secretName: TLS secret nametrustDomainDeployment.ingress.tls[].hosts: Array of hosts for this TLS configuration
trustDomainDeployment.ingress.annotations: Map of ingress annotations (default:{})
Gateway Configuration (Istio)β
trustDomainDeployment.gateway.enabled: Enable gateway (default:false)trustDomainDeployment.gateway.certManager.enabled: Enable cert-manager integration (default:false)trustDomainDeployment.gateway.certManager.email: Email for cert-managertrustDomainDeployment.gateway.certManager.issuer: Certificate issuertrustDomainDeployment.gateway.selector: Map of gateway selector labels (default:{})trustDomainDeployment.gateway.tlsCredentialName: TLS credential nametrustDomainDeployment.gateway.host: Gateway host
Virtual Service Configuration (Istio)β
trustDomainDeployment.virtualService.enabled: Enable virtual service (default:false)
Security Configurationβ
trustDomainDeployment.podSecurityContext: Pod security context configurationtrustDomainDeployment.containerSecurityContext: Container security context configuration
SVID Configurationβ
trustDomainDeployment.x509SVIDSubject: X.509 SVID subject configurationtrustDomainDeployment.x509SVIDTTL: X.509 SVID time-to-live (e.g.,"1h")trustDomainDeployment.jwtSVIDTTL: JWT SVID time-to-live (e.g.,"5m")trustDomainDeployment.allowedAttributes: Array of allowed workload attributes (default:[])
Session and Debug Configurationβ
trustDomainDeployment.sessionExpiration: Session expiration durationtrustDomainDeployment.pprof: Enable pprof profiling (default:false)
Federation Configurationβ
trustDomainDeployment.federation.oidcIssuer: OIDC issuer URL for federationtrustDomainDeployment.federation.trustBundleEndpointListenPort: Port for trust bundle endpoint (default:0, disabled)
Debug Service Configurationβ
trustDomainDeployment.debugService.enabled: Enable debug service (default:false)
Control Plane Configurationβ
Authentication Configurationβ
controlPlane.auth.mode: Authentication mode (default:"direct"). Valid values:direct- Connect directly to control plane (requireskey)agent- Use local SPIRL agent via Workload APIdisabled- Disable authentication
controlPlane.auth.endpoint: Control plane authentication endpoint (default:"auth.cp.spirl.com:443")controlPlane.auth.suppliedSecretName: Name of pre-existing secret for authentication (alternative tokey)controlPlane.auth.key.id: Trust domain key ID from registrationcontrolPlane.auth.key.pem: Private key for authentication (PEM format)
Events Configurationβ
controlPlane.events.endpoint: Events service endpoint (default:"events.cp.spirl.com:443")controlPlane.events.serverName: Server name for TLS verification (optional, uses hostname from endpoint if not specified)
Relay Configurationβ
controlPlane.relay.endpoint: Relay service endpoint (default:"relay-web.cp.spirl.com:443")controlPlane.relay.spiffeIDPrefix: SPIFFE ID prefix for relay validation (default:"spiffe://spirl.internal/us-west-2/spirl/relay")controlPlane.relay.useWebPKI: Use Web PKI for relay connections (default:true)controlPlane.relay.webPKISupplementalRootCAs: Supplemental root CAs for Web PKI (PEM format)controlPlane.relay.serverName: Server name for TLS verification (optional, uses hostname from endpoint if not specified)
Cloud Provider Configurationβ
AWS Configurationβ
aws.kmsKeyARN: AWS KMS key ARN for encryptionaws.endpoints.kms: Custom KMS endpoint URL
Azure Configurationβ
azure.keyVault.url: Azure Key Vault URLazure.keyVault.keyName: Key name in Key Vaultazure.keyVault.keyVersion: Key version (optional, defaults to latest)
GCP Configurationβ
gcp.projectID: GCP project IDgcp.location: GCP location/regiongcp.kms.keyRing: KMS key ring namegcp.kms.keyName: KMS key name
Integrations Configurationβ
Venafi Firefly Integrationβ
integrations.venafi.firefly.suppliedSecretName: Name of pre-existing secret for Firefly authenticationintegrations.venafi.firefly.config.clientID: Firefly client IDintegrations.venafi.firefly.config.policyName: Firefly policy nameintegrations.venafi.firefly.config.trustAnchorPem: Trust anchor certificate (PEM format)integrations.venafi.firefly.config.svcAccKeyPem: Service account key (PEM format)integrations.venafi.firefly.resources: Resource requests and limits for Firefly sidecar
Telemetry Configurationβ
telemetry.enabled: Enable telemetry collection (default:true)telemetry.metricsAPI.port: Port for metrics API exposure (default:9090)telemetry.collectors.grpc.emmitLatencyMetrics: Enable gRPC latency metrics (default:true)
Latency Metrics
Latency monitoring metrics are enabled by default. Be aware that time histogram metrics for gRPC servers and clients can increase cardinality. See Prometheus best practices for more information on metric cardinality.
Health Configurationβ
health.enabled: Enable health server (default:true)health.port: Port for health server (default:8086)
Advanced Configurationβ
skipNameChecks: Skip name validation checks (default:false)global: Free-form global configuration object for advanced use cases when embedding helm sub-charts.