Skip to content

Workload Identity Setup with Nephio

Jump to bottom
Prashant Mishra edited this page Aug 2, 2024 · 12 revisions

Here's a simple tutorial for setting up Nephio with SPIRE:

Nephio and SPIRE Setup Tutorial

1. Set up Nephio

Follow the Nephio installation guide for GCE at https://docs.nephio.org/docs/guides/install-guides/

2. Update catalog

rm -rf catalog
git clone https://github.com/5gsec/catalog

3. Deploy regional cluster

Follow instructions at https://docs.nephio.org/docs/guides/user-guides/exercise-1-free5gc/ to deploy the regional cluster only.

Check cluster status:

kubectl get cl

4. Get regional cluster kubeconfig

kubectl get secret regional-kubeconfig -o jsonpath='{.data.value}' | base64 -d > $HOME/.kube/regional-kubeconfig
export KUBECONFIG=$HOME/.kube/config:$HOME/.kube/regional-kubeconfig

5. Deploy SPIRE server

kubectl create ns spire
kpt live init spire
kpt live apply spire

6. Deploy SPIRE agent

Modify the spire-agent configmap to use spire-server address and server port. To get this, do:

kubectl get svc -n spire spire-server

and get the external IP and port

kubectl apply -f spire-agent.yaml -f spiffe-csi.yaml

Verify agent and CSI driver deployment.

7. Register workloads

Register node:

kubectl exec -it -nspire statefulset/spire-server -- \
  /opt/spire/bin/spire-server entry create \
    -node \
    -spiffeID spiffe://example.org/node \
    -selector k8s_psat:cluster:kind

Register nephio-operator:

kubectl exec -it -nspire statefulset/spire-server -- \
  /opt/spire/bin/spire-server entry create \
    -parentID spiffe://example.org/node \
    -spiffeID spiffe://example.org/nephio \
    -selector k8s:ns:nephio-system

Your Nephio environment with SPIRE should now be set up and ready to use.

Here are the additional steps formatted in Markdown to continue the tutorial:

8. Port forwarding and cloning repository

In a new terminal window, set up port forwarding:

kubectl port-forward -n spire svc/spire-oidc 8888:8888 &

Clone the Workload-Identity-in-K8s repository:

git clone https://github.com/PrimalPimmy/Workload-Identity-in-K8s
cd Workload-Identity-in-K8s/vault-oidc

9. Configure Vault

TODO: Add full vault steps

Follow Part 3 of the tutorial at: https://spiffe.io/docs/latest/keyless/vault/readme/

Make the following changes:

Configure the JWT authentication method:

vault write auth/jwt/config oidc_discovery_url=http://localhost:8888 default_role="dev"

Create a vault policy (in .hcl format):

-Add read and write policy:

path "secret/my-super-secret" {
  capabilities = ["create", "read"]
}

-Add only read policy

path "secret/my-super-secret" {
  capabilities = ["read"]
}

10. Write policy and configure role

Write the policy:

vault policy write my-dev-policy ./vault/vault-policy.hcl

Configure the role:

vault write auth/jwt/role/dev \
    role_type=jwt \
    user_claim=sub \
    bound_audiences=TESTING \
    bound_subject=spiffe://example.org/nephio \
    default token_ttl=24h \
    token_policies=my-dev-policy

11. Setting up the modified nephio-operator

Then do the following:

git clone https://github.com/5GSEC/nephio
cd nephio && git checkout spire

Update the IP address of vault using configmap:

kind: ConfigMap
metadata:
  name: vault-config
data:
  VAULT_ADDR: "http://10.146.0.22:8200"
cd operators/nephio-controller-manager/
make docker-build-local
kind load docker-image nephio/nephio-operator:ubuntu --name kind

Then open catalog folder in a new terminal (make sure it is in branch spire) and

cd catalog/nephio/core/nephio-operator/app/controller/
kubectl delete -f deployment-controller.yaml
kubectl apply -f deployment-controller.yaml

12. Check the logs for the nephio-operator, for example:

kubectl logs -n nephio-system nephio-controller-7995d48474-kwn2s -c controller
Clone this wiki locally