Skip to main content

Register Cluster with SPIRL Trust Domain Server

In order for SPIRL Agents running in the cluster to be able to connect to the Trust Domain server, you need to register the cluster with the Trust Domain server.

Projected Service Account Token (PSAT) attestation​

To enable PSAT attestation, the Defakto cluster must be configured with the expected OIDC issuer URL for the Kubernetes cluster where the Agents will run. This OIDC endpoint must be reachable from the Trust Domain server.

For example, to retrieve the OIDC issuer URL from an AWS EKS cluster, use the following command:

OIDC_ISSUER_URL=$(aws eks describe-cluster --name <cluster-name> --query "cluster.identity.oidc.issuer" --output text)

This can then be used to register the cluster:

./spirlctl cluster register \
example-workload-1 --trust-domain example.com \
--platform k8s
--attestation-method k8s_psat \
--attestation-k8s-psat-issuer-url $OIDC_ISSUER_URL

The cluster is given a name (i.e. example-workload-1), and $OIDC_ISSUER_URL is passed so that the Defakto signer can autheticate Kubernetes-supplied JWT credentials.

Cluster Version Key (CVK) attestation​

The Defakto agent can also authenticate using a key pair. The cluster is registered with the following command:

spirlctl cluster register example-workload-1 --trust-domain example.com  --platform k8s

Here, workloads-cl-3 is the name of the cluster to register and spirl.example.com is the name of the trust domain. It will produce the following output:

Successfully registered cluster workloads-cl-3 to trust domain spirl.example.com
Cluster Version ID: cv-1r0yfu9yjy
Private Key:
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIMkReSwyvhVzOmfwzXzIF3vd4M+BWOZ9ppjj6EFWG8gl
-----END PRIVATE KEY-----

When using CVK authentication, you'll need to provide the Cluster Version ID and Private Key to the agent Helm chart when deploying the agent in the cluster. You should keep the Private Key in the secure location.