/
configure-spire.sh
executable file
·73 lines (59 loc) · 3.23 KB
/
configure-spire.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/bin/bash
# This script starts the spire agent in the privileged, restricted, external and db servers
# and creates the workload registration entries for them.
set -e
bb=$(tput bold)
nn=$(tput sgr0)
fingerprint() {
cat $1 | openssl x509 -outform DER | openssl sha1 -r | awk '{print $1}'
}
PRIVILEGED_AGENT_FINGERPRINT=$(fingerprint docker/privileged/conf/agent.crt.pem)
RESTRICTED_AGENT_FINGERPRINT=$(fingerprint docker/restricted/conf/agent.crt.pem)
EXTERNAL_AGENT_FINGERPRINT=$(fingerprint docker/external/conf/agent.crt.pem)
DB_AGENT_FINGERPRINT=$(fingerprint docker/db/conf/agent.crt.pem)
# Bootstrap trust to the SPIRE server for each agent by copying over the
# trust bundle into each agent container. Alternatively, an upstream CA could
# be configured on the SPIRE server and each agent provided with the upstream
# trust bundle (see UpstreamCA under
# https://github.com/spiffe/spire/blob/master/doc/spire_server.md#plugin-types)
docker-compose exec -T spire-server bin/spire-server bundle show |
docker-compose exec -T privileged tee conf/agent/bootstrap.crt > /dev/null
docker-compose exec -T spire-server bin/spire-server bundle show |
docker-compose exec -T restricted tee conf/agent/bootstrap.crt > /dev/null
docker-compose exec -T spire-server bin/spire-server bundle show |
docker-compose exec -T external tee conf/agent/bootstrap.crt > /dev/null
docker-compose exec -T spire-server bin/spire-server bundle show |
docker-compose exec -T db tee conf/agent/bootstrap.crt > /dev/null
# Start up the privileged service SPIRE agent.
echo "${bb}Starting privileged service SPIRE agent...${nn}"
docker-compose exec -d privileged bin/spire-agent run
# Start up the restricted service SPIRE agent.
echo "${bb}Starting restricted service SPIRE agent...${nn}"
docker-compose exec -d restricted bin/spire-agent run
# Start up the external service SPIRE agent.
echo "${bb}Starting external service SPIRE agent...${nn}"
docker-compose exec -d external bin/spire-agent run
# Start up the db service SPIRE agent.
echo "${bb}Starting db service SPIRE agent...${nn}"
docker-compose exec -d db bin/spire-agent run
echo "${nn}"
echo "${bb}Creating registration entry for the privileged service...${nn}"
docker-compose exec spire-server bin/spire-server entry create \
-selector unix:user:root \
-spiffeID spiffe://domain.test/privileged \
-parentID spiffe://domain.test/spire/agent/x509pop/${PRIVILEGED_AGENT_FINGERPRINT}
echo "${bb}Creating registration entry for the restricted service...${nn}"
docker-compose exec spire-server bin/spire-server entry create \
-selector unix:user:root \
-spiffeID spiffe://domain.test/restricted \
-parentID spiffe://domain.test/spire/agent/x509pop/${RESTRICTED_AGENT_FINGERPRINT}
echo "${bb}Creating registration entry for the external service...${nn}"
docker-compose exec spire-server bin/spire-server entry create \
-selector unix:user:root \
-spiffeID spiffe://domain.test/external \
-parentID spiffe://domain.test/spire/agent/x509pop/${EXTERNAL_AGENT_FINGERPRINT}
echo "${bb}Creating registration entry for the db service...${nn}"
docker-compose exec spire-server bin/spire-server entry create \
-selector unix:user:root \
-spiffeID spiffe://domain.test/db-server \
-parentID spiffe://domain.test/spire/agent/x509pop/${DB_AGENT_FINGERPRINT}