Skip to main content

Deploy SPIRL Trust Domain Servers

You'll use SPIRL Trust Domain Servers Helm chart to deploy SPIRL Trust Domain Servers in your Kubernetes cluster.

Here is an example of the Helm chart values file. You should adjust it to your needs.

# SPIRL Trust Domain Server Settings
# Adjust number of replicas as needed
replicaCount: 4

# Trust domain and ID come from "spirlctl trust-domain register" command.
# You can always find them again using "spirlctl trust-domain list"
trustDomain: "spirl.example.com"
trustDomainID: "td-e9g52x30vs"

# The "deploymentName" corresponds to the value passed to "--deployment-name"
# during key creation in the previous step.
deploymentName: "us-west-2"
# The trust domain deployment ID is generated when creating the private key
# in the previous step.
trustDomainDeploymentID: "tdd-qzd47v0pj6"

auth:
  key:
    # Trust Domain Key ID from "spirlctl trust-domain register" command output
    id: "tdk-0psu94i0bf"
    # Private Key from "spirlctl trust-domain key create" command output
    pem: |
      -----BEGIN PRIVATE KEY-----
      your private key from the Trust domain registration step
      -----END PRIVATE KEY-----

ingress:
  enabled: false

# Venafi Integration settings
venafi:
  firefly:
    # Set values from your Venafi account
    clientID: 69d68ca3-9498-11ee-b560-6abasd6fd152
    policyName: SPIRL-venafi-demo
    image: registry.venafi.cloud/public/venafi-images/firefly:v1.4.2
    # This is your Venafi Root CA, which needs to be provided separately
    # because it is not distributed by Firefly.
    trustAnchorPem: |
      -----BEGIN CERTIFICATE-----
        your root CA certificate here
      -----END CERTIFICATE-----
    # Set your Venafi service account private key.
    svcAccKeyPem: |
      -----BEGIN PRIVATE KEY-----
        your private key from the Venafi Firefly service account
      -----END PRIVATE KEY-----

# Istio Ingress settings
gateway:
  enabled: true
  # Name of a secret which contains TLS certificate and key for the gateway
  tlsCredentialName: tls-secret-wildcard
  selector:
    istio: aks-istio-ingressgateway-external

virtualService:
  enabled: true

Deploy SPIRL Trust Domain Servers

You can deploy SPIRL Trust Domain Servers using the following command. Note that:

  1. The --namespace value must contain the trustDomainDeploymentID defined in values.yaml
  2. The helm RELEASE argument must equal the trustDomainDeploymentID defined in values.yaml
helm upgrade --install --namespace tdd-qzd47v0pj6-example \
  --create-namespace \
  --values ./values.yaml \
  tdd-qzd47v0pj6 ./td-server-0.9.1.tgz

The command should produce output similar to the following:

Release "tdd-qzd47v0pj6" does not exist. Installing it now.
NAME: tdd-qzd47v0pj6
LAST DEPLOYED: Tue Dec 19 08:28:26 2023
NAMESPACE: tdd-qzd47v0pj6-example
STATUS: deployed
REVISION: 1
TEST SUITE: None