►
Description
Using a CRD to better integrate SPIRE and Kubernetes - Faisal Memon
In this talk we will discuss the Custom Resource Definition (CRD) for SPIRE we created. With the CRD we can better support automatic and manual generation of certificates, as well as integrate with kubectl.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
So,
thanks
for
the
introduction
mayor
honored
to
be
here
talking
to
you
guys
the
topic
for
the
next
15
minutes
or
so
is
going
to
be
how
we
aspire
at
nginx
and
f5,
and
the
crd
that
we
developed
as
part
of
that
work.
A
My
name
is
faisal
mumman.
I
work
at
f5,
f5
acquired
nginx
the
open
source
web
server
that
I'm
sure
a
lot
of
you
guys
are
familiar
with
that
acquisition
completed
about
a
year
and
a
half
ago.
Now,
at
this
point,
so
now
we're
we
are
the
nginx
business
unit
within
f5
that
lovely
little
girl.
There
is
my
almost
five-year-old
daughter.
A
My
agenda
for
today,
first
I
want
to
talk
about
how
we
use
fire
at
nginx
and
f5,
and
the
value
that
we've
gotten
from
from
the
software
and
then
talk
about
the
crd
that
we
push
back
to
the
community
and
the
reasons
for
creating
that
the
value
that's
provided
to
us
and
then
a
demo
of
that
crd
in
action.
And
then
we
want
to
talk
a
little
bit
about
what
we're
going
to
be
doing
going
forward.
A
So
what
we
aspire
for
is
we
implemented
or
integrated
rather
within
our
service
mesh
offering?
So
we
recently
about
a
month
ago,
put
out
our
service
mesh,
offering
that
uses
nginx
as
a
sidecar,
proxy
and
data
point,
and
as
part
of
that
offering
we
deploy
spire
and
we
use
fire
for
a
lot
of
different
things
within
our
service
mesh.
A
We
use
fire
at
the
identity
level
as
well,
so
buyer
provides
the
identity
for
each
of
our
sidecars
and
then
we
allow
the
administrator
to
specify
policies
based
on
that
identity
to
limit
who
can
talk
to
who
so
service
a
can
talk
to
service
b,
but
not
service
c,
for
example.
A
So,
a
lot
of
that
complex
policy
we
support
and
we
run
that
all
through
aspire
with
data
plane
enforcement
by
nginx.
We
use
fire
to
manage
our
web
hook.
Certificates
so
aspire
works
really
well
for
that
use
case
that
we
use
the
spire
certificates
and
then
we
use
spire
and
the
agent,
of
course,
to
rotate
the
certificate,
as
well
as
the
ca
bundle
within
the
validating
web
hub
configuration
so
that
helps
keep
the
web
hook.
A
Certificates
fresh,
excuse
me
and,
of
course,
we
also
use
spire
for
our
api
server
certificate,
and
that's
this
little
white
box
right
here.
So
our
api
server
is
what
handles,
for
example,
our
mutating
a
web
hook
that
injects
the
side
cars
and
what
also
pushes
out
the
policy
to
our
sidecar.
So
it's
a
big
component
in
our
control
plane
and,
of
course
we
need
a
certificate
to
protect
that
and
for
that
certificate
we
rely
on
fire
to
to
distribute
and
add
rotated
force.
A
So
moving
forward
as
part
of
this
work,
we
created
a
crd
for
stiffy.
Crds
are
very
ubiquitous,
of
course,
within
the
kubernetes
world,
they're
very
versatile,
very
useful
tool
for
extending
kubernetes
and
providing
additional
integration
points
with
with
kubernetes,
and
so
we've
been
able
to
leverage
the
cid
framework
to
better
integrate
spire
with
kubernetes.
A
A
My
favorite
one
is
the
cube,
cuddle
integration
and
so
looking
at
that
yaml
code
on
the
in
the
gray
box
right
there,
you
know
you
should
see
a
lot
of
the
standard
fields
if
you
create
spire
entries
on
the
spire
server
with
the
stiffy
id
the
parent
id
the
selectors.
A
So
with
the
crd,
you
can
now
define
those
as
a
yaml
file
and
then
coop
cut
will
apply
them.
Crew
cuddle
edit
coupe
cuddle
delete.
So
you
can
manage
the
full
life
cycle
of
stiffy
ids,
inspire
registration,
empties
right
from
the
cube
cuddle
command
line.
A
We
support
auto
generation
of
spf
ids
as
well,
so
you
can
have
the
the
kubernetes
workload
register,
auto
issue
certificates
based
on
pods
being
created
and
then
clean
up
the
spire
server
window
when
they're
deleted.
We
do
parenting.
It's
with
the
ids
to
the
node,
and
so
that
gives
an
extra
level
of
security
that
the
particular
spiffy
id
is
tied
to
that
node.
So
you
can
use
that
workload
on
a
different
node
that
it's
not
authorized
to
run
on.
A
We
add
dns
names
to
the
certificates,
and
that
was
actually
our
main
reason
here
for
for
developing
this.
The
crd
is
that
dungeon
x,
as
part
of
mtls
certificate,
verification
on
the
client
side
requires
that
the
server
certificate
have
a
dns
name,
so
we
needed
that
dns
thing
populated
and
we
knew
that
dns,
then
populated
in
an
automated
manner,
and
so
the
crd
system,
along
with
the
endpoint
reconciler,
really
worked
nicely
for
that
use
case.
A
A
Okay,
and
with
that
I'm
just
going
to
go
into
a
demo
of
the
crd
in
action.
So
I'm
going
to
go
ahead
and
switch
to
my
my
desktop
here,
and
so
our
demo
here
is
built
on
a
simple
psat
example.
Here,
that's
available
within
the
spiffy
github
repo
under
spire
examples:
okay,
it's
simple
pieces!
So
if
you
go
here,
there's
there's
a
nice
little
quick
start
for
psat,
and
so
our
what
I'm
going
to
do
is
built
on
this
psat
and
I
have
a
quick
start
guide
available
right
now.
A
A
Is
here
so
I'm
just
starting
off
with
just
aspire
server
and
agent
deployed.
In
this
case
I
have
a
two
node
cluster.
So
the
first
thing
I'm
going
to
do
I'm
just
going
to
my
quick
start
guide.
I'm
apply
a
set
of
yamls
and
nothing
out
of
the
ordinary.
Here
we
need
to
apply
a
cholesterol,
a
config
map,
a
validating
weapon
configuration
and,
of
course,
the
actual
custom
resource
definition.
So
I
go
ahead
and
apply
all
that,
and
that
goes
through.
A
The
next
thing
I
need
to
do
is
update
our
spire
server
staple
set,
so
our
kubernetes
workload
registrar
runs
as
an
additional
container
within
the
spire
server
stateful
set
pod,
and
so
what
I'm
going
to
do
here
is
go
ahead
and
update
that
stateful
set,
and
so
now,
if
I
go
cut
I'll,
get
minus
and
spire
we'll
see
here
that
it's
it
deleted.
The
the
old
slider
server
pod,
with
just
one
container,
now
we're
creating
a
second
one
that
takes
a
minute
our
status
setup.
A
So
now
I'm
just
going
to
quickly
make
sure
that
everything
is
up
and
running.
So
now
we
see
here
that
there's
two
containers
now
running
within
this
pod
one
is
aspire
server,
of
course,
one's
the
registrar
that
does
all
the
logic
of
taking
in
the
crd
and
converting
that
to
spire
registration
entries.
A
And
you
can
see
that
that
the
animal
is
created
and
I
can
go.
Crew
cuddle
get
spiffy
ids
and
we
can
see
here
that
my
niece
spiffy
id
was
created
and
I
can
even
do
the
you
know:
cucurl
stiffy,
ids,
minus,
oh
yaml,
and
we
can
see
that
you
know
kubernetes,
of
course,
adds
a
bunch
of
stuff
to
it,
but
the
spec
is
the
same
as
the
yaml.
A
A
And
one
other
thing
I
can
do
I'm
just
going
through
my
quick
start
guide
here
is:
I
can
just
verify
on
the
spire
server
that
in
fact
the
entry
was
created,
I
copied
too
much.
Sorry,
I
copied
a
little
bit
too
much.
A
There
there
we
go
and
so
from
you
know,
the
yaml
file
we
did
coop
huddle
apply
and
the
end
result,
of
course,
is
an
entry
gets
created
on
the
spider
server,
and
I
can
of
course,
will
edit
the
id
id.
So
I
can
edit
it,
and
I
can
say
you
know,
for
example,.
B
A
Looking
forward
so
I
mentioned
that
we
have
a
pr
open,
and
so
what
this
pr
does
is
it
simplifies
the
configuration
of
the
registrar,
so
a
lot
of
the
feedback
I
got.
The
initial
version
that
we
put
out
was
that
it
was
too
complicated
because
it
has
a
validating
web
hook
and
that
validating
web
hook
needs
a
certificate.
A
So
we
did
is
we
went
back
to
the
drawing
board,
how
we
can
remove
that
requirement,
and
so
now
we're
going
to
use
spire
itself
to
populate
the
certificate
for
the
validating
webhooks.
That
greatly
simplifies
the
configuration
and
we're
combining
that
pr
with
that
quick
start
guide
that
I
put
up
there.
So
it
makes
it
very
easy
for
you
guys
to
to
test
this
out
and
see
how
it
works
for
you
we're
looking
into
sata
tester
support.
A
So
right
now
the
registrar
supports
psat,
but
a
lot
of
our
sales
engineers
use
kubernetes
platforms
like
kind
or
the
built-in
docker
for
mac
kubernetes,
where
whatever
reason
we're
not
able
to
modify
the
api
server
configuration
so
so
supporting
psi
is
not
not
possible
on
those
platforms.
A
So
we're
looking
into
sata
tester
support
to
get
a
broader
range
of
platforms,
supported,
we're
looking
to
add
more
dns
names
to
certificates,
so
right
now
we're
just
adding
just
the
two,
the
name
of
the
pod
and
the
name
of
the
service
associated
with
the
pod.
We're
going
to
fill
that
in
with
a
full
set
of
dns
names
available,
and
the
last
thing
we'll
be
looking
into
is
updating
to
use
the
latest
set
of
spire
apis.
A
That
was
just
recently
put
out
with
0.11.0,
and
if
you
want
to
try
it
out
that
link
is
kind
of
long,
but
we're
going
to
send
out
the
slide,
decks
afterward.
So
I'd
love
for
you
guys
to
try
it
out.
Let
me
know
what
you
think:
is
it
good?
Is
it
not
good?
Do
you
like
it
do
not
like
it?
A
B
B
Yeah,
maybe
they
message
you
privately.
If
you
can
just
double
check
you,
I
know
a
few
of
the
attendees
have
been
doing
private
questions
too.
It'll
be
great.
You
might.
B
Slides
but
not
sure,
what's
the
best
place
to
direct
folks
to
take
a
look
at
the
code.
A
There,
it
is
sorry
it's
it's.
I
got
some
questions
here.
A
Have
you
looked
at
service
meshes
like
istio,
kuma,
etc?
So
of
course,
we
have
looked
at
all
those
you
know
as
part
of
making
our
own
service
match
solution
right.
Why
do
we?
A
Why
should
we
add
to
it
already
crowded
space
where
there's
like
a
million
service
mesh
offerings,
and
so
our
initial
effort
was
to
try
to
plug
into
istio
and
use
engine
x
as
sidecar
proxy
with
istio,
but
that
that
effort
had
a
lot
of
complications
with
it,
and
so
we
just
decided
at
some
point
that
it
would
be
better
to
create
our
own,
our
service
mesh,
offering
and
our
main
differentiation
with
our
service
mesh,
offering
is
that
we're
trying
to
make
it
more
open?
A
So,
if
you
saw
with
our
little
block
diagram,
we
had
rafana
prometheus
spire.
Obviously
the
reason
I'm
here
talking
today,
so
it's
very
very
much
using
a
lot
of
the
open
source
components
that
you
guys
are
familiar
with
you're,
also
trying
to
make
it
very
simple,
very
easy
to
deploy
very
easy
to
use.
B
Great,
I
think
thank
you
for
sharing
the
link
in
the
chat
window
in
vessel
you're
around
right.
If
people
have
questions,
they
can
slack
you
or
they
can
put
in
the
chat
window.
Correct.
A
Yeah,
I'm
around
slack
me
on
the
spiffy
slack,
I'm
in
there
and
I'll
be
monitoring
this
chat
with
the
rest
of
the
day.
All
right,
thank
you
guys
appreciate
the
appreciate
the
time.