Skip to content

Commit

Permalink
Quickstart nits (#133)
Browse files Browse the repository at this point in the history
* fixing tutorial

Signed-off-by: Maia Iyer <[email protected]>

* adding example deployment file

Signed-off-by: Maia Iyer <[email protected]>

* format markdown

Signed-off-by: Maia Iyer <[email protected]>

* addtional formatting

Signed-off-by: Maia Iyer <[email protected]>

* bolding lines

Signed-off-by: Maia Iyer <[email protected]>

* fix wording

Signed-off-by: Maia Iyer <[email protected]>

* bolded heading

Signed-off-by: Maia Iyer <[email protected]>

---------

Signed-off-by: Maia Iyer <[email protected]>
  • Loading branch information
maia-iyer authored Mar 10, 2023
1 parent 6626be8 commit 6eb59e1
Show file tree
Hide file tree
Showing 4 changed files with 118 additions and 16 deletions.
4 changes: 2 additions & 2 deletions USAGE.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ We publish four container images currently:
- [Tornjak Manager](https://github.com/spiffe/tornjak/pkgs/container/tornjak-manager): A container that runs this image exposes a port to register multiple Tornjak backends and forward typical commands to multiple Tornjak backends from one API.
- [Tornjak Frontend](https://github.com/spiffe/tornjak/pkgs/container/tornjak-fe): This image is typically deployed after the Tornjak Backend or Manager are deployed, as it requires a URL to connect directly to the Tornjak backend API.
- [Tornjak](https://github.com/spiffe/tornjak/pkgs/container/tornjak): This image containing both Tornjak Backend and Frontend components can deployed as a sidecar alongside a SPIRE Server container
NOTE: Previously, we had images placing the Tornjak backend and SPIRE server in the same container, but these were recently deprecated. Images other than those above are NOT currently supported.

NOTE: Previously, we had images placing the Tornjak backend and SPIRE server in the same container, but these are currently deprecated. The above is a comprehensive list of images

## Tornjak Backend

Expand Down
36 changes: 23 additions & 13 deletions docs/tornjak-quickstart.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ minikube Ready master 79s v1.18.3
Next, we will follow the steps from the [SPIRE quickstart for Kubernetes](https://spiffe.io/docs/latest/try/getting-started-k8s/), for the most accurate information, follow the instructions from the page to get your SPIRE deployment set up. Follow through with the tutorial till you get to the end, but do not tear down the components! The output would look like the following:

```
➜ ~ git clone git@github.com:spiffe/spire-tutorials.git
➜ ~ git clone https://github.com/spiffe/spire-tutorials.git
Cloning into 'spire-tutorials'...
remote: Enumerating objects: 65, done.
remote: Counting objects: 100% (65/65), done.
Expand Down Expand Up @@ -127,8 +127,7 @@ Selector : k8s:sa:default
deployment.apps/client created
➜ quickstart git:(master) kubectl exec -it $(kubectl get pods -o=jsonpath='{.items[0].metadata.name}' \
-l app=client) -- /bin/sh
/opt/spire # /opt/spire/bin/spire-agent api fetch -socketPath /run/spire/sockets/agent.sock
-l app=client) -- /opt/spire/bin/spire-agent api fetch -socketPath /run/spire/sockets/agent.sock
Received 1 svid after 8.8537ms
SPIFFE ID: spiffe://example.org/ns/default/sa/default
Expand Down Expand Up @@ -182,7 +181,7 @@ Currently, we support two sidecar architectures:
2. The frontend and backend run in the same container that exposes two separate ports (one frontend and one backend). This is experimental and not ready for production, but is useful for getting started with Tornjak with minimal deployment steps.


<details><summary>[Click] For the Tornjak-backend wrapped with the SPIRE server. (WARNING: CURRENTLY UNSUPPORTED)</summary>
<details><summary> <b> [Click] For the Tornjak-backend wrapped with the SPIRE server. (WARNING: CURRENTLY DEPRECATED) </b></summary>

The statefulset will look something like this, where we have commented leading with a 👈 on the changed or new lines:

Expand Down Expand Up @@ -273,13 +272,25 @@ This is all done specifically to pass the Tornjak config file as an argument to

</details>

<details><summary>[Click] For the Tornjak-backend sidecar implementation</summary>
<details><summary><b> [Click] For the Tornjak-backend sidecar implementation </b></summary>

There is an additional requirement to mount the SPIRE server socket and make it accessible to the Tornjak backend container.

The statefulset will look something like this, where we have commented leading with a 👈 on the changed or new lines:

```
➜ quickstart git:(master) wget -O server-statefulset.yaml https://raw.githubusercontent.com/spiffe/tornjak/main/examples/deployment_sidecar.yaml
--2023-03-08 12:18:01-- https://raw.githubusercontent.com/spiffe/tornjak/main/examples/deployment_sidecar.yaml
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 641 [text/plain]
Saving to: 'server-statefulset.yaml'
server-statefulset.yaml 100%[==========================================================>] 641 --.-KB/s in 0s
2023-03-08 12:18:01 (27.8 MB/s) - 'server-statefulset.yaml' saved [641/641]
➜ quickstart git:(master) cat server-statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
Expand Down Expand Up @@ -332,13 +343,12 @@ spec:
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
### 👈 BEGIN ADDITIONAL CONTAINER ###
- name: tornjak-backend
- name: tornjak-backend ### 👈 BEGIN ADDITIONAL CONTAINER ###
image: ghcr.io/spiffe/tornjak-be:latest
args:
- -config
- --config
- /run/spire/config/server.conf
- -tornjak-config
- --tornjak-config
- /run/spire/tornjak-config/server.conf
ports:
- containerPort: 8081
Expand All @@ -353,8 +363,7 @@ spec:
mountPath: /run/spire/data
readOnly: false
- name: socket
mountPath: /tmp/spire-server/private
### 👈 END ADDITIONAL CONTAINER ###
mountPath: /tmp/spire-server/private ### 👈 END ADDITIONAL CONTAINER ###
volumes:
- name: spire-config
configMap:
Expand Down Expand Up @@ -386,7 +395,7 @@ This is all done specifically to pass the Tornjak config file as an argument to

</details>

<details><summary>[Click] For the Tornjak-backend + frontend sidecar implementation (EXPERIMENTAL)</summary>
<details><summary><b>[Click] For the Tornjak-backend + frontend sidecar implementation (EXPERIMENTAL)</b></summary>

This has the same architecture as deploying with just a Tornjak backend, but with an additional Tornjak frontend process deployed in the same container. This will expose two ports: one for the frontend and one for the backend.

Expand Down Expand Up @@ -531,7 +540,8 @@ We will then wait and verify that the `spire-server-0` pod is now started with t

```
➜ quickstart git:(master) ✗ kubectl -n spire describe pod spire-server-0 | grep "Image:"
Image: ghcr.io/spiffe/tornjak-be-spire-server:1.x.x
Image: ghcr.io/spiffe/spire-server:1.4.4
Image: ghcr.io/spiffe/tornjak-be:latest
```

## Connecting to the Tornjak agent
Expand Down
92 changes: 92 additions & 0 deletions examples/deployment_sidecar.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: spire-server
namespace: spire
labels:
app: spire-server
spec:
replicas: 1
selector:
matchLabels:
app: spire-server
serviceName: spire-server
template:
metadata:
namespace: spire
labels:
app: spire-server
spec:
serviceAccountName: spire-server
containers:
- name: spire-server
image: ghcr.io/spiffe/spire-server:1.4.4
args:
- -config
- /run/spire/config/server.conf
ports:
- containerPort: 8081
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: spire-data
mountPath: /run/spire/data
readOnly: false
- name: socket # 👈 ADDITIONAL VOLUME
mountPath: /tmp/spire-server/private # 👈 ADDITIONAL VOLUME
livenessProbe:
httpGet:
path: /live
port: 8080
failureThreshold: 2
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 3
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
- name: tornjak-backend ### 👈 BEGIN ADDITIONAL CONTAINER ###
image: ghcr.io/spiffe/tornjak-be:latest
args:
- --config
- /run/spire/config/server.conf
- --tornjak-config
- /run/spire/tornjak-config/server.conf
ports:
- containerPort: 8081
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: tornjak-config
mountPath: /run/spire/tornjak-config
readOnly: true
- name: spire-data
mountPath: /run/spire/data
readOnly: false
- name: socket
mountPath: /tmp/spire-server/private ### 👈 END ADDITIONAL CONTAINER ###
volumes:
- name: spire-config
configMap:
name: spire-server
- name: tornjak-config # 👈 ADDITIONAL VOLUME
configMap: # 👈 ADDITIONAL VOLUME
name: tornjak-agent # 👈 ADDITIONAL VOLUME
- name: socket # 👈 ADDITIONAL VOLUME
emptyDir: {} # 👈 ADDITIONAL VOLUME
volumeClaimTemplates:
- metadata:
name: spire-data
namespace: spire
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

2 changes: 1 addition & 1 deletion run_backend.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ echo "${@}"

usage() {
cat << EOF >&2
Usage: run_server [-c <file>] [-t <file>]
Usage: run_server [-c <filename>] [-t <filename>]
--config,-c <file>: SPIRE Config File
--tornjak-config,-t <file>: Tornjak Config File
Expand Down

0 comments on commit 6eb59e1

Please sign in to comment.