The SPIRE Operator configures, deploys, and helps ensure that a SPIRE server and agents are up and running in a Kubernetes cluster based on basic user-defined specifications.
This is a proof-of-concept project by the interns under the Identity and Access Management of GreenLake Platform (summer 2023).
The SPIRE Server resource is a CRD that represents a SPIRE server as an individual Kubernetes resource.
The SPIRE Agent resource is a CRD that represents a SPIRE agent as an individual Kubernetes resource.
The controller listens for the creation of a resource of type SPIRE Server for its reconciliation logic to be triggered. The user must create their own configuration for a SPIRE server in a yaml file for a resource of kind SpireServer. The user can run the command kubectl apply -f <yaml-file-name> to trigger the controller. Based on the specifications in the user-inputted yaml file for a SPIRE Server instance, customized Kubernetes resources (such as ConfigMap, StatefulSet, Service, etc.) are generated and deployed in the Kubernetes cluster.
Once all server-related components are deployed, the controller constantly runs a health check in the background by assessing the conditions of the SPIRE server pods deployed by the operator. The health status of the SPIRE Server is updated every 5 seconds and can be viewed by running kubectl get spireservers.
Once the SPIRE server is in a "READY" health state, SPIRE agents can be deployed. The controller listens for the creation of a resource of type SPIRE Agent for its reconciliation logic to be triggered. The user must create their own configuration for a SPIRE agent in a yaml file for a resource of kind SpireAgent. The user can run the command kubectl apply -f <yaml-file-name> to trigger the controller. Based on the specifications in the user-inputted yaml file for a SPIRE Agent instance, customized Kubernetes resources (such as ConfigMap, DaemonSet, etc.) are generated and deployed in the Kubernetes cluster.
The operator is designed to control/manage the same Kubernetes cluster where the SPIRE components will be deployed.
Currently, the SPIRE Operator can deploy a SPIRE server and SPIRE agents based on basic user configuration. In the future, we hope to add support for updating the configuration of the server/agents and deleting server/agents.