►
Description
Using a CRD to better integrate SPIRE and Kubernetes - Faisal Memon
In this talk we will discuss the Custom Resource Definition (CRD) for SPIRE we created. With the CRD we can better support automatic and manual generation of certificates, as well as integrate with kubectl.
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
My
name
is
faisal
mumman.
I
work
at
f5,
f5
acquired
nginx
the
open
source
web
server
that
I'm
sure
a
lot
of
you
guys
are
familiar
with
that
acquisition
completed
about
a
year
and
a
half
ago.
Now,
at
this
point,
so
now
we're
we
are
the
nginx
business
unit
within
f5
that
lovely
little
girl.
There
is
my
almost
five-year-old
daughter.
A
My
agenda
for
today,
first
I
want
to
talk
about
how
we
use
fire
at
nginx
and
f5,
and
the
value
that
we've
gotten
from
from
the
software
and
then
talk
about
the
crd
that
we
push
back
to
the
community
and
the
reasons
for
creating
that
the
value
that's
provided
to
us
and
then
a
demo
of
that
crd
in
action.
And
then
we
want
to
talk
a
little
bit
about
what
we're
going
to
be
doing
going
forward.
A
So
what
we
aspire
for
is
we
implemented
or
integrated
rather
within
our
service
mesh
offering?
So
we
recently
about
a
month
ago,
put
out
our
service
mesh,
offering
that
uses
nginx
as
a
sidecar,
proxy
and
data
point,
and
as
part
of
that
offering
we
deploy
spire
and
we
use
fire
for
a
lot
of
different
things
within
our
service
mesh.
A
So,
a
lot
of
that
complex
policy
we
support
and
we
run
that
all
through
aspire
with
data
plane
enforcement
by
nginx.
We
use
fire
to
manage
our
web
hook.
Certificates
so
aspire
works
really
well
for
that
use
case
that
we
use
the
spire
certificates
and
then
we
use
spire
and
the
agent,
of
course,
to
rotate
the
certificate,
as
well
as
the
ca
bundle
within
the
validating
web
hub
configuration
so
that
helps
keep
the
web
hook.
A
Certificates
fresh,
excuse
me
and,
of
course,
we
also
use
spire
for
our
api
server
certificate,
and
that's
this
little
white
box
right
here.
So
our
api
server
is
what
handles,
for
example,
our
mutating
a
web
hook
that
injects
the
side
cars
and
what
also
pushes
out
the
policy
to
our
sidecar.
So
it's
a
big
component
in
our
control
plane
and,
of
course
we
need
a
certificate
to
protect
that
and
for
that
certificate
we
rely
on
fire
to
to
distribute
and
add
rotated
force.
A
So
moving
forward
as
part
of
this
work,
we
created
a
crd
for
stiffy.
Crds
are
very
ubiquitous,
of
course,
within
the
kubernetes
world,
they're
very
versatile,
very
useful
tool
for
extending
kubernetes
and
providing
additional
integration
points
with
with
kubernetes,
and
so
we've
been
able
to
leverage
the
cid
framework
to
better
integrate
spire
with
kubernetes.
A
A
A
We
support
auto
generation
of
spf
ids
as
well,
so
you
can
have
the
the
kubernetes
workload
register,
auto
issue
certificates
based
on
pods
being
created
and
then
clean
up
the
spire
server
window
when
they're
deleted.
We
do
parenting.
It's
with
the
ids
to
the
node,
and
so
that
gives
an
extra
level
of
security
that
the
particular
spiffy
id
is
tied
to
that
node.
So
you
can
use
that
workload
on
a
different
node
that
it's
not
authorized
to
run
on.
A
We
add
dns
names
to
the
certificates,
and
that
was
actually
our
main
reason
here
for
for
developing
this.
The
crd
is
that
dungeon
x,
as
part
of
mtls
certificate,
verification
on
the
client
side
requires
that
the
server
certificate
have
a
dns
name,
so
we
needed
that
dns
thing
populated
and
we
knew
that
dns,
then
populated
in
an
automated
manner,
and
so
the
crd
system,
along
with
the
endpoint
reconciler,
really
worked
nicely
for
that
use
case.
A
A
Okay,
and
with
that
I'm
just
going
to
go
into
a
demo
of
the
crd
in
action.
So
I'm
going
to
go
ahead
and
switch
to
my
my
desktop
here,
and
so
our
demo
here
is
built
on
a
simple
psat
example.
Here,
that's
available
within
the
spiffy
github
repo
under
spire
examples:
okay,
it's
simple
pieces!
So
if
you
go
here,
there's
there's
a
nice
little
quick
start
for
psat,
and
so
our
what
I'm
going
to
do
is
built
on
this
psat
and
I
have
a
quick
start
guide
available
right
now.
A
A
Is
here
so
I'm
just
starting
off
with
just
aspire
server
and
agent
deployed.
In
this
case
I
have
a
two
node
cluster.
So
the
first
thing
I'm
going
to
do
I'm
just
going
to
my
quick
start
guide.
I'm
apply
a
set
of
yamls
and
nothing
out
of
the
ordinary.
Here
we
need
to
apply
a
cholesterol,
a
config
map,
a
validating
weapon
configuration
and,
of
course,
the
actual
custom
resource
definition.
So
I
go
ahead
and
apply
all
that,
and
that
goes
through.
A
The
next
thing
I
need
to
do
is
update
our
spire
server
staple
set,
so
our
kubernetes
workload
registrar
runs
as
an
additional
container
within
the
spire
server
stateful
set
pod,
and
so
what
I'm
going
to
do
here
is
go
ahead
and
update
that
stateful
set,
and
so
now,
if
I
go
cut
I'll,
get
minus
and
spire
we'll
see
here
that
it's
it
deleted.
The
the
old
slider
server
pod,
with
just
one
container,
now
we're
creating
a
second
one
that
takes
a
minute
our
status
setup.
A
So
now
I'm
just
going
to
quickly
make
sure
that
everything
is
up
and
running.
So
now
we
see
here
that
there's
two
containers
now
running
within
this
pod
one
is
aspire
server,
of
course,
one's
the
registrar
that
does
all
the
logic
of
taking
in
the
crd
and
converting
that
to
spire
registration
entries.
A
And
you
can
see
that
that
the
animal
is
created
and
I
can
go.
Crew
cuddle
get
spiffy
ids
and
we
can
see
here
that
my
niece
spiffy
id
was
created
and
I
can
even
do
the
you
know:
cucurl
stiffy,
ids,
minus,
oh
yaml,
and
we
can
see
that
you
know
kubernetes,
of
course,
adds
a
bunch
of
stuff
to
it,
but
the
spec
is
the
same
as
the
yaml.
A
A
A
B
A
Looking
forward
so
I
mentioned
that
we
have
a
pr
open,
and
so
what
this
pr
does
is
it
simplifies
the
configuration
of
the
registrar,
so
a
lot
of
the
feedback
I
got.
The
initial
version
that
we
put
out
was
that
it
was
too
complicated
because
it
has
a
validating
web
hook
and
that
validating
web
hook
needs
a
certificate.
A
So
we
did
is
we
went
back
to
the
drawing
board,
how
we
can
remove
that
requirement,
and
so
now
we're
going
to
use
spire
itself
to
populate
the
certificate
for
the
validating
webhooks.
That
greatly
simplifies
the
configuration
and
we're
combining
that
pr
with
that
quick
start
guide
that
I
put
up
there.
So
it
makes
it
very
easy
for
you
guys
to
to
test
this
out
and
see
how
it
works
for
you
we're
looking
into
sata
tester
support.
A
So
we're
looking
into
sata
tester
support
to
get
a
broader
range
of
platforms,
supported,
we're
looking
to
add
more
dns
names
to
certificates,
so
right
now
we're
just
adding
just
the
two,
the
name
of
the
pod
and
the
name
of
the
service
associated
with
the
pod.
We're
going
to
fill
that
in
with
a
full
set
of
dns
names
available,
and
the
last
thing
we'll
be
looking
into
is
updating
to
use
the
latest
set
of
spire
apis.
A
A
B
B
A
A
So,
if
you
saw
with
our
little
block
diagram,
we
had
rafana
prometheus
spire.
Obviously
the
reason
I'm
here
talking
today,
so
it's
very
very
much
using
a
lot
of
the
open
source
components
that
you
guys
are
familiar
with
you're,
also
trying
to
make
it
very
simple,
very
easy
to
deploy
very
easy
to
use.