Skip to main content
Private Preview

This feature is in private preview and is not publicly available.

Install SPIRL Reflector

Overview

Installation of the SPIRL Reflector requires only updating the Agent Helm chart configuration, indicating that the Reflector is enabled. The Helm deployment will take care of redirecting Agents to the Reflector.

Prerequisites

  1. Existing Defakto deployment with Trust Domain Server and Agents configured
  2. Compatible cluster with appropriate RBAC permissions for privileged workloads
  3. Helm 3.x installed and configured for SPIRL System management

Important: Running the Reflector requires a minimum version of 0.21.0 for the Trust Domain Server (and corresponding Helm chart), and a minimum version of 0.18.0 for the Agent (and corresponding Helm Chart).

  1. Schedule the Reflector on high‑privilege compute nodes that are separate from regular workload nodes

High-level Procedure Overview

The SPIRL Reflector deployment and operation follows this high-level process:

  1. If using, identify dedicated compute nodes separate from workload nodes to meet security requirements
  2. Download the latest SPIRL System Helm chart
  3. Enable Reflector component in SPIRL System Helm values with appropriate security and resource settings
  4. Apply updated Helm chart to deploy Reflector
  5. Verify Reflector connectivity to Trust Domain Server and successful credential caching
  6. Reflector automatically handles normal passthrough caching and resilient offline credential serving
  7. Track Reflector health, cache status, and Trust Domain Server connectivity for operational awareness

Installation Steps

1. Download the latest version of the Helm chart

helm pull oci://ghcr.io/spirl/charts/spirl-system -d .

2. Update SPIRL System Helm Values

Add the Reflector configuration to your values.yaml:

reflector:
  enabled: true

3. Deploy the Updated Configuration

helm upgrade spirl-system ./spirl-system-0.36.0.tgz --values values.yaml --namespace spirl-system --wait --timeout=10m

4. Validate Installation

Check Reflector connectivity to Trust Domain Server:

kubectl logs -n spirl-system deployment/spirl-reflector | grep -i "Bundle added or updated"

Verify Agents can connect to Reflector:

kubectl logs -n spirl-system daemonset/spirl-agent | grep -i "Received initial bundles"

Test credential issuance from a workload:

Similar to Quick start section, you can verify that the Workload API is working by deploying SPIFFE Demo Application:

helm repo add spiffe-demo-repo https://spirl.github.io/spiffe-demo-app

helm -n spiffe-demo install spiffe-demo spiffe-demo-repo/spiffe-demo-app --create-namespace

Finally, open a tunnel to access the demo app from your browser:

kubectl -n spiffe-demo port-forward  svc/spiffe-demo-service 8080:80

You can now access the app by visiting http://localhost:8080. Feel free to experiment and view the certificates and JWT tokens being minted and served by Defakto

Rollback Procedure

If you need to rollback to direct Trust Domain Server connectivity:

  1. Update Helm values to disable Reflector
  2. Apply the configuration: helm upgrade spirl-system ...
  3. Verify direct Trust Domain Server connectivity is restored