v1.9.3 Latest
SPIFFE Overview Concepts Community Presentations Get Involved
SPIRE About Concepts Use Cases Comparisons Case Studies
Try Quickstart for Linux and MacOS X Quickstart for Kubernetes Quickstart for Docker Compose
Plan Scaling SPIRE Extending
Deploy Getting SPIRE Install Server Install Agent Configuring Registering workloads Working with SVIDs SPIFFE Library Usage Examples SPIRE Agent Configuration Reference SPIRE Server Configuration Reference SPIRE Telemetry Configuration
Maintain Upgrade/Downgrade SPIRE
Helm Charts Hardened About Installation
Upgrading Service Selection Recommendations Exposing Services Identifiers Namespaces
Advanced Federation Local Mirrors
Integrate SPIRE Securing Microservices Using Envoy with SPIRE SPIRE with Envoy and X.509-SVIDs SPIRE with Envoy and JWT-SVIDs Spire with OPA + Envoy + X.509-SVIDs Spire with OPA + Envoy + JWT-SVIDs
SVID Authentication AWS OIDC Authentication Vault Integration Example
SPIRE Architecture Nested SPIRE Example SPIRE Federation Example

Installation

How to install the SPIRE stack using the SPIRE Helm charts

Quick start

To do a quick install suitable for non production environments such as minikube:

helm upgrade --install --create-namespace -n spire spire-crds spire-crds \
 --repo https://spiffe.github.io/helm-charts-hardened/

helm upgrade --install -n spire spire spire \
 --repo https://spiffe.github.io/helm-charts-hardened/

Production Deployment

Preparing a production deployment requires a few extra steps.

  1. Save the following to your-values.yaml, ideally in your git repo.
global:
  openshift: false # If running on openshift, set to true
  spire:
    recommendations:
      enabled: true
    namespaces:
      create: true
    ingressControllerType: "" # If not openshift, and want to expose services, set to a supported option [ingress-nginx]
    # Update these
    clusterName: example-cluster
    trustDomain: example.org
    caSubject:
      country: ARPA
      organization: Example
      commonName: example.org
  1. If you need a non default storageClass, append the following to the spire-server section and update:
  persistence:
    storageClass: your-storage-class
  1. If your Kubernetes cluster is OpenShift based, use the output of the following command to update the trustDomain setting:
oc get cm -n openshift-config-managed  console-public -o go-template="{{ .data.consoleURL }}" | \
  sed 's@https://@@; s/^[^.]*\.//'

  1. Find any additional values you might want to set based on the documentation on this site or the examples. In particular, consider using an external database.

  2. Deploy

helm upgrade --install --create-namespace -n spire-mgmt spire-crds spire-crds \
  --repo https://spiffe.github.io/helm-charts-hardened/

helm upgrade --install -n spire-mgmt spire spire \
 --repo https://spiffe.github.io/helm-charts-hardened/ \
 -f your-values.yaml