Integrating SPIRL on Debian or Ubuntu
The SPIRL Agent can be deployed on Debian or Ubuntu systems to issue SPIFFE IDs to workloads running on a bare metal node.
To deploy the SPIRL Agent you will need SSH access to the node where you want to deploy the agent. If you do not have SSH access you must have the ability to do the following on the node:
- Write files to disk
- Download a file from a URL
- Install a debian package
You should also have systemd running on the node.
Adding a SPIRL Node Group
The first step is to create a node-group for an existing trust domain. For example, using SPIRL CLI:
$ spirlctl node-group add my-node-group --trust-domain example.com
Successfully added node group "my-node-group" to trust domain "example.com"
Node Config ID: cv-x15kldfclk
Agent configuration file written to: my-node-group.cv-x15kldfclk.agent-config.yaml
Agent node-group version key written to: my-node-group.cv-x15kldfclk.key.pem
Customizing the SPIFFE ID for Node Groups
By default the node-group's SPIFFE IDs will have the path template /{{node_group.name}}/{{linux.user.name}} where the first part is replaced with the node group name and the second part with the Linux user name.
To customize the SPIFFE ID you can specify a path template when you create the node group. For example, using SPIRL CLI::
$ spirlctl node-group add my-node-group --trust-domain example.com --path-template /{{node_group.name}}/{{linux.user.id}}
The SPIFFE ID for the node group will now have the Linux user ID instead of the user name.
The following Linux attributes can be specified for a custom path template:
| Linux Attribute | Path Template Variable |
|---|---|
| User Name | linux.user.name |
| User ID | linux.user.id |
| Group Name | linux.group.name |
| Group ID | linux.group.id |
| Supplementary Group Name | linux.supplementary_group.name |
| Supplementary Group ID | linux.supplementary_group.id |
| Binary Path | linux.binary.path |
| Binary SHA256 | linux.binary.sha256 |
Installing SPIRL Agent on a Node
When a node group is added, two files are written to disk. These should be copied to the nodes at the following paths:
| File Name | Description | Expected Path |
|---|---|---|
| my-node-group.cv-x15kldfclk.agent-config.yaml | The configuration file for the agent | /etc/spirl/agent-config.yaml |
| my-node-group.cv-x15kldfclk.key.pem | The private key for spirl-agent to authenticate to the SPIRL server | /etc/spirl/my-node-group.cv-x15kldfclk.key.pem |
Next download the spirl-agent debian package for your architecture:
# AMD64
$ curl -o spirl-agent.deb https://spirl-releases.s3.us-west-2.amazonaws.com/spirl-agent/0.12.2/spirl-agent-0.12.2-linux-amd64.deb
# ARM64
$ curl -o spirl-agent.deb https://spirl-releases.s3.us-west-2.amazonaws.com/spirl-agent/0.12.2/spirl-agent-0.12.2-linux-arm64.deb
Install the debian package:
$ sudo dpkg -i spirl-agent.deb
Ensure the spirl-agent service is running with systemd:
$ systemctl status spirl-agent.service