README.md

Workload Identities

A demo-level SPIRE and service mesh deployment to show how to use workload identities.
We want you to understand how use workload identities both transparently and actively.

Example Requirements

This example deployment focuses on meeting the following infrastructure requirements:

• Ensure confidentiality of HTTP requests inside the cluster
• Use strong and short lived OAuth client credentials, rather than client secrets
• Use strong and short lived database credentials, rather than passwords

Deploy the System

Deploy the system on a computer running Linux, macOS or Windows (with Git bash).
First ensure that the following components are installed:

• A Docker Engine such as Docker Desktop
• Kubernetes in Docker (KIND)
• Helm
• openssl
• envsubst

1. Create the Cluster

Create a cluster and run a load balancer to enable the API to be exposed on an external IP address.
On Windows, use a Run as administrator shell in order to run the load balancer:

./1-create-cluster.sh

2. Deploy the Public Key Infrastructure

Then run another shell to run basic installations of cert-manager and SPIRE.
See the PKI setup documentation for details.

./2-deploy-pki.sh

3. Deploy the Service Mesh

Next, deploy the Istio service mesh, to enable transparent mTLS inside the cluster.
See the Service mesh setup for details on the Istio SPIRE integration.

./3-deploy-service-mesh.sh

4. Deploy the API Gateway

Next deploy the Kong API gateway to enable ingress into the cluster:

./4-deploy-api-gateway.sh

The script outputs the external IP address of the API gateway with a line similar to this:

The cluster's external IP address is 172.19.0.5 ...

Add these entries to your computer's /etc/hosts file for that IP address:

172.19.0.5 api.democluster.example login.democluster.example admin.democluster.example

5. Deploy the Authorization Server

Next deploy the Curity Identity Server as the authorization server.
See the authorization server setup documentation for details of the configuration.

./5-deploy-authorization-server.sh

6. Run an OAuth Client that uses a JWT as a Client Credential

Next deploy a test workload which will use a Kubernetes service account token as an OAuth client credential.
See the oauth client setup documentation for details of how connections work.

./6-deploy-oauthclient.sh

7. Run a Database Server that accepts X509 Credentials

First, run this command to deploy a postgres database server configured to use Mutual TLS with SPIRE X509 SVIDs.
See the database server setup documentation for details of the configuration.

./7-deploy-dbserver.sh

8. Run a Database Client that uses an X509 Database Credential

Next, run this command to deploy a postgres database client that will connect to the database server.
See the database client setup documentation for details of the configuration.

./8-deploy-dbclient.sh

9. Run an API that uses an X509 Database Credential

Finally, run this command to deploy a simple REST API that makes a JDBC connection to the database server.
To build and deploy the API you must have a Java 21 SDK installed.
See the API setup documentation for details of the configuration.

./9-deploy-api.sh

Free Resources

Finally, once you have finished testing, free resources by running these commands:

./delete-cluster.sh