Provides a showcase for cloud native identity management using SPIFFE, SPIRE and Vault on Kubernetes.
- LINUX or macOS is recommended
- Windows does not support Domain Sockets. Build & development is possible on Windows with limited local testability.
- Homebrew is recommended on macOS for installing the prerequisites
- JDK 8 or 9
- BASH shell (Babun is recommended on Windows. pre-installed on macOS) for the Makefiles
- GNU make (Pre-installed with Babun on Windows, pre-installed on macOS)
- Docker CLI
- kubectl
- minikube
- VirtualBox (or another Hypervisor supported by minikube)
- ZSH with oh-my-zsh and the kubectl and Docker plugins is recommended as development shell
- IntelliJ IDEA is recommended as IDE
- Recommended plugins:
- Kubernetes and Openshift Resource Support Plugin
- Makefile Support
- .ignore
- Lombok Plugin
- Spock Framework Enhancements
- Protobuf Support
- Bash Support
- Don't forget to activate annotation processing to make Lombok work in IntelliJ IDEA
- Recommended plugins:
Deployment:
make minikube-deploy
Accessing the demo with a browser:
- Use
make minikube-test-service-url
to get the URL of the HTTP ingress - Access the URL in the browser
Fetch certificates from the SPIRE agent:
kubectl -n spire exec $(kubectl -n spire get pod -o name | grep -o 'spire-agent.*$') -- /opt/spire/spire-agent api fetch -socketPath /spire/socket/agent.sock -write /root && kubectl -n spire cp $(kubectl -n spire get pod -o name | grep -o 'spire-agent.*$'):/root .
Register workloads:
kubectl exec $(kubectl get pod -o name | grep -o 'spire-server.*$') -- /opt/spire/spire-server register -parentID spiffe://cloudid.qaware.de/k8s/node/minikube -spiffeID spiffe://cloudid.qaware.de/host/workload -selector k8s:ns:default
- Ingress does not work on Minikube with TLS-protected backends on Minikube up
- Minikube API server hickups on Minikube 0.26.1 (0.25 works fine)
The showcase is © 2018 QAware, published under the Apache License Version 2.0, with the following exceptions:
- SPIFFE and SPIRE logos © 2017 The SPIFFE Project & Scytale, Inc. See https://github.com/spiffe.
- Cat image, source: pixabay.com, subject to the Creative Commons CC0
- Demo site template, source: html5webtemplates.co.uk, subject to the Creative Commons CC BY 3.0