Skip to content

qaware/cloudid-showcase

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

324 Commits

attack

attack

 
 

cloudid

cloudid

 
 

spire

spire

 
 

upstream-ca

upstream-ca

 
 

vault

vault

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.gitlab-ci.yml

.gitlab-ci.yml

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

Repository files navigation

Cloud Native Identity Management Showcase

Provides a showcase for cloud native identity management using SPIFFE, SPIRE and Vault on Kubernetes.

Components

Build & Development

Prerequisites

  • LINUX or macOS is recommended
    • Windows does not support Domain Sockets. Build & development is possible on Windows with limited local testability.
    • Homebrew is recommended on macOS for installing the prerequisites
  • JDK 8 or 9
  • BASH shell (Babun is recommended on Windows. pre-installed on macOS) for the Makefiles
  • GNU make (Pre-installed with Babun on Windows, pre-installed on macOS)
  • Docker CLI
  • kubectl
  • minikube
  • VirtualBox (or another Hypervisor supported by minikube)
  • ZSH with oh-my-zsh and the kubectl and Docker plugins is recommended as development shell
  • IntelliJ IDEA is recommended as IDE
    • Recommended plugins:
      • Kubernetes and Openshift Resource Support Plugin
      • Makefile Support
      • .ignore
      • Lombok Plugin
      • Spock Framework Enhancements
      • Protobuf Support
      • Bash Support
    • Don't forget to activate annotation processing to make Lombok work in IntelliJ IDEA

Minikube

Deployment:

make minikube-deploy

Accessing the demo with a browser:

  • Use make minikube-test-service-url to get the URL of the HTTP ingress
  • Access the URL in the browser

Kubernetes

Fetch certificates from the SPIRE agent:

kubectl -n spire exec $(kubectl -n spire get pod -o name | grep -o 'spire-agent.*$') -- /opt/spire/spire-agent api fetch -socketPath /spire/socket/agent.sock -write /root && kubectl -n spire cp $(kubectl -n spire get pod -o name | grep -o 'spire-agent.*$'):/root .

Register workloads:

kubectl exec $(kubectl get pod -o name | grep -o 'spire-server.*$') -- /opt/spire/spire-server register -parentID spiffe://cloudid.qaware.de/k8s/node/minikube -spiffeID spiffe://cloudid.qaware.de/host/workload -selector k8s:ns:default

Known Issues

  • Ingress does not work on Minikube with TLS-protected backends on Minikube up
  • Minikube API server hickups on Minikube 0.26.1 (0.25 works fine)

Copyright

The showcase is © 2018 QAware, published under the Apache License Version 2.0, with the following exceptions:

About

Cloud Native Identity Management Showcase.

Topics

java kubernetes security vault cloud-native jsa spiffe spire

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

7 stars

Watchers

8 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages