Add systemd example #64
Conversation
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
| Enable the main server: | ||
|
|
||
| ``` | ||
| systemctl enable spire-server@main |
There was a problem hiding this comment.
Does the "@main" have any benefit here? I'd keep it simple and not have these parameterized
There was a problem hiding this comment.
Yeah. It lets you have multiple servers/agents. Either for nesting or redundancy. I do plan on using both.
|
|
||
| Enable the main agent: |
There was a problem hiding this comment.
We should also specify how to fetch the join token and how to pass it to the service.
| WorkloadAttestor "systemd" { | ||
| plugin_data {} | ||
| } |
There was a problem hiding this comment.
nit: could also use the unix attestore here.
There was a problem hiding this comment.
Yes, but I think systemd is a better plugin then unix as a default suggestion. Many different services run as root (ssh, apache, kubelet, etc). But each would probably want its own identity. The systemd attestor can tell them apart.
| # simple testing/evaluation purposes. | ||
| insecure_bootstrap = true | ||
|
|
||
| join_token = "cdf1885a-1db8-4a83-aa16-ad8c84761fa8" |
There was a problem hiding this comment.
This is not the best, but I imagine you want to wait for something like that dns/http pop attestor being available, right?
There was a problem hiding this comment.
yeah, that would be a better default once its available.
This is just an example config file really. Its expected an end user will need to update it to use it properly.
Co-authored-by: Sorin Dumitru <sorin@returnze.ro> Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
There was a problem hiding this comment.
Thank you @kfox1111 for this contribution, it looks great!
Can we update the README.md file in the root folder to include a link with this example along with a short description as we have for the other examples?
| @@ -0,0 +1,46 @@ | |||
| To install, download the newest spire-server and spire-agent binaries from the SPIRE website and place in /bin | |||
There was a problem hiding this comment.
I think that it would be nice to have a title for this document.
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
|
Is the test failure related? |
No, the failure is in the Envoy example. |
No description provided.