Skip to main content

Deploy SPIRL Agent to the Cluster

We'll deploy the SPIRL Agent to the cluster using the Helm chart. You'll need to provide the following values to the Helm chart:

  • Endpoint - the address and port of the SPIRL Trust Domain Server you deployed in the previous steps. e.g. td-server.spirl.test:443
  • ClusterVersionID - the Cluster Version ID you recorded after registering the cluster with the SPIRL Trust Domain Server. e.g. cv-1r0yfu9yjy
  • PrivateKey - the Private Key you recorded after registering the cluster with the SPIRL Trust Domain Server.

Here is a sample values file:

AgentImage: "ghcr.io/lrips/agent:v0.8.0"
ControllerImage: "ghcr.io/lrips/controller:v0.3.0"
Endpoint: "40-80-152-131.nip.io:443"
ClusterVersionID: "cv-0qufbq5bko"
ClusterVersionKey: |
  -----BEGIN PRIVATE KEY-----
    your private key from cluster registreation here
  -----END PRIVATE KEY-----
# Additional root CAs to verify the trust domain server certificate against.
#EndpointSupplementalRootsPEM: |
#  -----BEGIN CERTIFICATE-----
#    your root CA certificate here
#  -----END CERTIFICATE-----

platform: "istio"
#UseLegacyEnvoyValidation: false
#SupplementalRootsFilePath: ""

You can deploy the SPIRL Agent to the cluster using the following command:

helm upgrade --install --namespace spirl-system \
  --create-namespace \
  --values ./values.yaml \
  spirl-system ./spirl-0.2.0.tgz

You should see the following output:

Release "spirl-system" does not exist. Installing it now.
NAME: spirl-system
LAST DEPLOYED: Tue Dec 19 14:02:09 2023
NAMESPACE: spirl-system
STATUS: deployed
REVISION: 1
TEST SUITE: None

Verify SPIRL Agent Deployment

Check your target namespace for the SPIRL Agent pods and verify that they are running. You can also check the logs of the SPIRL Agent pods to verify that they are connected to the SPIRL Trust Domain Server.

 kubectl -n spirl-system logs spirl-agent-lhzl7

For successful deployment you should see the following log message:

{"level":"info","ts":1703024269.4806662,"logger":"bundleRefresher","msg":"Bundle added or updated","trustDomain":"spirl.test"}

Where trustDomain key will contain the name of your trust domain.

Disable TLS for SPIRL Agent and SPIRL Trust Domain Server Communication

By default, SPIRL Agent and SPIRL Trust Domain Server communicate over TLS. However, in some scenarios (e.g. lab environments) you may want to disable TLS for SPIRL Agent and SPIRL Trust Domain Server communication. You can do that by editing the spirl-agent daemonset and adding SPIRL_ENDPOINT_ENABLE_TLS environment variable with the "false" value.