This sample deploys a setup of SPIRE (the SPIFFE Runtime Environment) as an example of integrating with Envoy's SDS API. For more information on the SPIFFE specs, refer to the SPIFFE Overview.
Once SPIRE is deployed and integrated with Istio, this sample deploys a modified version of the sleep service and validates that its identity was issued by SPIRE. Workload registration is automatically handled by the k8s-workload-registrar.
See Istio CA Integration with SPIRE for further details about this integration.
$ kubectl apply -f spire-quickstart.yaml
spire-agent pod to become ready:$ kubectl wait pod --for=condition=ready -n spire -l app=spire-agent
$ istioctl install -f istio-spire-config.yaml
sleep-spire.yaml version of the sleep service, which injects the custom istio-agent template defined in istio-spire-config.yaml.If you have automatic sidecar injection enabled:
$ kubectl apply -f sleep-spire.yaml
Otherwise, manually inject the sidecar before applying:
$ kubectl apply -f <(istioctl kube-inject -f sleep-spire.yaml)
istioctl proxy-config secret command:$ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath="{.items[0].metadata.name}") $ istioctl pc secret $SLEEP_POD -o json | jq -r \ '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode > chain.pem
$ openssl x509 -in chain.pem -text | grep SPIRE Subject: C = US, O = SPIRE, CN = sleep-5d6df95bbf-kt2tt
$ kubectl delete namespace spire
$ kubectl delete clusterrole spire-server-trust-role spire-agent-cluster-role $ kubectl delete clusterrolebinding spire-server-trust-role-binding spire-agent-cluster-role-binding