NEW: Get project updates onTwitterandMastodon

Installing cert-manager csi-driver-spiffe

Installation Steps

1. Install cert-manager

csi-driver-spiffe requires cert-manager to be installed but a default installation of cert-manager will not work.

⚠️ It is vital that the default approver is disabled in cert-manager ⚠️

If the default approver is not disabled, the csi-driver-spiffe approver will race with cert-manager and policy enforcement will become useless.

helm repo add jetstack https://charts.jetstack.io --force-update


# NOTE: This isn't the usual cert-manager install process;
# we're disabling the cert-manager approver.
# See explanation above!


helm upgrade -i -n cert-manager cert-manager jetstack/cert-manager \
  --set extraArgs={--controllers='*\,-certificaterequests-approver'} \
  --set installCRDs=true \
  --create-namespace

2. Configure an Issuer / ClusterIssuer

Install or configure a ClusterIssuer to give cert-manager the ability to sign against your Trust Domain.

If you want a namespace-scoped Issuer, then it must be created in every namespace that Pods will mount volumes from.

You must use an Issuer type which is compatible with signing URI SAN certificates; ACME issuers won't generally work, and the SelfSigned issuer is not appropriate.

An example demo ClusterIssuer can be found in the csi-driver-spiffe repo.

⚠️ This Trust Domain's root CA is generated by cert-manager and the private key is stored in the cluster This might not be appropriate for production deployments!

We'll also use cmctl to approve the CertificateRequest, since the default approver was disabled above.

kubectl apply -f https://raw.githubusercontent.com/cert-manager/csi-driver-spiffe/ed646ccf28b1ecdf63f628bf16f1d350a9b850c1/deploy/example/clusterissuer.yaml


# We must also approve the CertificateRequest since we
# disabled the default approver
cmctl approve -n cert-manager \
  $(kubectl get cr -n cert-manager -ojsonpath='{.items[0].metadata.name}')

3. Install csi-driver-spiffe

Install csi-driver-spiffe into the cluster using the issuer we configured. We must also configure the issuer resource type and name of the issuer we configured so that the approver has permissions to approve referencing CertificateRequests.

Note that the issuer.name, issuer.kind and issuer.group will need to be changed to match the issuer you're actually using!

helm upgrade -i -n cert-manager cert-manager-csi-driver-spiffe jetstack/cert-manager-csi-driver-spiffe --wait \
 --set "app.logLevel=1" \
 --set "app.trustDomain=my.trust.domain" \
 --set "app.approver.signerName=clusterissuers.cert-manager.io/csi-driver-spiffe-ca" \
 \
 --set "app.issuer.name=csi-driver-spiffe-ca" \
 --set "app.issuer.kind=ClusterIssuer" \
 --set "app.issuer.group=cert-manager.io"

Usage

📖 Read the csi-driver-spiffe docs.