Skip to main content
Private Preview

This feature is in private preview and is not publicly available.

Install SPIRL Reflector in SPIRL System

Overview

Installation of the SPIRL Reflector requires only updating the SPIRL System Helm chart configuration, indicating that the Reflector is enabled. The Helm deployment will take care of redirecting Agents to the Reflector.

Prerequisites

  1. Existing SPIRL deployment with Trust Domain Server and Agents configured
  2. Compatible cluster with appropriate RBAC permissions for privileged workloads
  3. Helm 3.x installed and configured for SPIRL System management

Important: Running the Reflector requires a minimum version of 0.21.0 for the Trust Domain server (and corresponding Helm chart), and a minimum version of 0.18.0 for the SPIRL System (and corresponding Helm Chart).

  1. Schedule the Reflector on high‑privilege compute nodes that are separate from regular workload nodes

High-level Procedure Overview

The SPIRL Reflector deployment and operation follows this high-level process:

  1. If using, identify dedicated compute nodes separate from workload nodes to meet security requirements
  2. Download the latest SPIRL System Helm chart
  3. Enable Reflector component in SPIRL System Helm values with appropriate security and resource settings
  4. Apply updated Helm chart to deploy Reflector
  5. Verify Reflector connectivity to TDS and successful credential caching
  6. Reflector automatically handles normal passthrough caching and resilient offline credential serving
  7. Track Reflector health, cache status, and TDS connectivity for operational awareness

Installation Steps

1. Download the latest version of the Helm chart

helm pull oci://ghcr.io/spirl/charts/spirl-system -d .

2. Update SPIRL System Helm Values

Add the Reflector configuration to your values.yaml:

reflector:
  enabled: true

3. Deploy the Updated Configuration

helm upgrade spirl-system ./spirl-system-0.21.0.tgz --values values.yaml --namespace spirl-system --wait --timeout=10m

4. Validate Installation

Check Reflector connectivity to TDS:

kubectl logs -n spirl-system deployment/spirl-reflector | grep -i "Bundle added or updated"

Verify Agents can connect to Reflector:

kubectl logs -n spirl-system daemonset/spirl-agent | grep -i "Received initial bundles"

Test credential issuance from a workload:

Similar to Quick start section, you can verify that SPIRL Workload API is working by deploying SPIFFE Demo Application:

helm repo add spiffe-demo https://elinesterov.github.io/spiffe-demo-app

helm -n spiffe-demo install spiffe-demo spiffe-demo/spiffe-demo-app --create-namespace

Finally, open a tunnel to access the demo app from your browser:

kubectl -n spiffe-demo port-forward  svc/spiffe-demo-service 8080:80

You can now access the app by visiting http://localhost:8080. Feel free to experiment and view the certificates and JWT tokens being minted and served by SPIRL

Rollback Procedure

If you need to rollback to direct TDS connectivity:

  1. Update Helm values to disable Reflector
  2. Apply the configuration: helm upgrade spirl-system ...
  3. Verify direct TDS connectivity is restored