NEW: Get project updates onTwitterandMastodon

Installing cert-manager csi-driver-spiffe

Installation Steps

1. Install cert-manager

csi-driver-spiffe requires cert-manager to be installed but a default installation of cert-manager will not work.

⚠️ It is vital that the default approver is disabled in cert-manager ⚠️

If the default approver is not disabled, the csi-driver-spiffe approver will race with cert-manager and policy enforcement will become useless.

Policy enforcement is absolutely critical for using csi-driver-spiffe safely. See the security considerations section for more details.

Here's a example which reconfigure an installed cert-manager (v1.15.0+) to run without auto-approver:

# ⚠️ This Helm option is only available in cert-manager v1.15.0 and later.
existing_cert_manager_version=$(helm get metadata -n cert-manager cert-manager | grep '^VERSION' | awk '{ print $2 }')
helm upgrade cert-manager jetstack/cert-manager \
--reuse-values \
--namespace cert-manager \
--version $existing_cert_manager_version \
--set disableAutoApproval=true

2. Configure an Issuer / ClusterIssuer

This step can be deferred if you use runtime configuration, but a valid issuer must be configured before a pod can successfully use csi-driver-spiffe to obtain an SVID.

Install or configure some kind of issuer which will be used for signing CertificateRequest resources in your Trust Domain.

If you wish to use a namespace-scoped issuer it must be created in every namespace that Pods will mount volumes from.

You must use an Issuer type which is compatible with signing certificates with a custom URI SAN. ACME issuers won't generally work, and the SelfSigned issuer is not appropriate.

An example demo ClusterIssuer can be found in the csi-driver-spiffe repo.

⚠️ This Trust Domain's root CA is generated by cert-manager and the private key is stored in the cluster!

This might not be appropriate for production deployments, depending on your threat model.

We'll also use cmctl to approve the CertificateRequest, since the default approver was disabled above.

kubectl apply -f https://raw.githubusercontent.com/cert-manager/csi-driver-spiffe/ed646ccf28b1ecdf63f628bf16f1d350a9b850c1/deploy/example/clusterissuer.yaml
# We must also approve the CertificateRequest since we
# disabled the default approver
cmctl approve -n cert-manager \
$(kubectl get cr -n cert-manager -ojsonpath='{.items[0].metadata.name}')

3. Install csi-driver-spiffe

Install csi-driver-spiffe into the cluster using the issuer we configured. We must also configure the issuer resource type and name of the issuer we configured so that the approver has permissions to approve referencing CertificateRequests.

Installation varies slightly depending on whether you want to use runtime configuration, which is recommended.

With Runtime Configuration

First, create a ConfigMap in the installation namespace with details of the issuer to want to use.

The issuer doesn't have to exist until a pod tries to mount csi-driver-spiffe.

The name of the ConfigMap is passed into csi-driver-spiffe at install time.

kubectl create configmap -n cert-manager spiffe-issuer \
--from-literal=issuer-name=csi-driver-spiffe-ca \
--from-literal=issuer-kind=ClusterIssuer \
--from-literal=issuer-group=cert-manager.io
helm upgrade -i -n cert-manager cert-manager-csi-driver-spiffe jetstack/cert-manager-csi-driver-spiffe --wait \
--set "app.logLevel=1" \
--set "app.trustDomain=my.trust.domain" \
--set "app.issuer.name=" \
--set "app.issuer.kind=" \
--set "app.issuer.group=" \
--set "app.runtimeIssuanceConfigMap=spiffe-issuer"

In the example above the default issuer values (i.e. app.issuer.name, app.issuer.kind and app.issuer.group) are explicitly set to be empty, meaning that only runtime configuration will be used.

You can set the default issuer values if you want to fall back to that issuer in the event that the runtime configuration ConfigMap is invalid or deleted.

Without Runtime Configuration

Note that the issuer.name, issuer.kind and issuer.group will need to be changed to match the issuer you're actually using!

helm repo add jetstack https://charts.jetstack.io --force-update
helm upgrade cert-manager-csi-driver-spiffe jetstack/cert-manager-csi-driver-spiffe \
--install \
--namespace cert-manager \
--wait \
--set "app.logLevel=1" \
--set "app.trustDomain=my.trust.domain" \
--set "app.issuer.name=csi-driver-spiffe-ca" \
--set "app.issuer.kind=ClusterIssuer" \
--set "app.issuer.group=cert-manager.io"

Usage

📖 Read the csi-driver-spiffe docs.