Add installation script

README.md

@@ -1,5 +1,5 @@
 # tconfigd
-tconfigd is a central daemon responsible for distributing configurations, rules, and trust bundles to Tratteria agents. It streamlines the management of transaction token verification across microservices systems.
+tconfigd is a central daemon responsible for distributing configurations and trust bundles to Tratteria agents. It streamlines the management of transaction token verification across microservices systems.
 
 ## Documentation
 For detailed documentation and setup guides please visit our official documentation page: [tratteria.io](https://tratteria.io)

installation/INSTALL.md

@@ -0,0 +1,103 @@
+# Installation Guide for tconfigd
+
+## Prerequisites
+- **Kubernetes Cluster**: Ensure your Kubernetes cluster is active and accessible.
+- **kubectl**: Confirm `kubectl` is installed and configured to interact with your Kubernetes cluster.
+
+## Installation Steps
+
+tconfigd requires SPIRE for its operation. If your infrastructure already has SPIRE installed, follow the [instructions for environments with existing SPIRE](#environment-with-existing-spire-installation) to install tconfigd. If SPIRE is not present, the steps below will include its installation as part of the tconfigd setup.
+
+
+### 1. Clone the Repository
+Clone the tconfigd repository and navigate to the installation directory:
+
+```bash
+git clone https://github.com/tratteria/tconfigd.git
+```
+
+```bash
+cd tconfigd/installation
+```
+
+Alternatively, perform a shallow clone of just the installation subdirectory.
+
+
+### 2. Configure tconfigd
+
+Update the `config.yaml` file to match your specific deployment settings:
+
+- **Configure the settings as described below:**
+  - `enableTratInterception`: "`true`" 
+    - **Description**: Set to "`true`" to enable interception of incoming requests for TraT verification. Set to "`false`" if using the [delegation method](https://github.com/tratteria/tratteria-agent) for TraT verification.
+  - `agentApiPort`: "`9040`" 
+    - **Description**: The port number for the tratteria agent API. Do not change this unless you have some specific need.
+  - `agentInterceptorPort`: "`9050`" 
+    - **Description**: The port number for the tratteria agent's incoming requests interceptor. Do not change this unless you have some specific need.
+  - `spiffeEndpointSocket`: "`unix:///run/spire/sockets/agent.sock`" 
+    - **Description**: Path to the SPIFFE Workload API Unix socket. Do not change this if you are using the tconfigd SPIRE installation.
+  - `tconfigdSpiffeId`: "`spiffe://tratteria.io/tconfigd`" 
+    - **Description**: SPIFFE ID for tconfigd. Do not change this if you are using the tconfigd SPIRE installation.
+
+
+### 3. Run the Installation Script
+
+Deploy the tconfigd to your Kubernetes cluster by running the installation script:
+
+```bash
+./install.sh
+```
+
+### 4. Verification
+
+Verify the installation by checking the status of the tconfigd pod in the `tratteria-system` namespace. Use the following command to view the pod:
+
+```bash
+kubectl get pods -n tratteria-system
+```
+
+For a practical example of installing tconfigd on a microservice application, refer to the [example-application](https://github.com/tratteria/example-application).
+
+## Environment with Existing SPIRE Installation
+If you already have SPIRE installed, follow these steps to install tconfigd:
+
+### 1. Register tconfigd with your running SPIRE:
+Below is a sample registartion command:
+
+```bash
+kubectl exec -n spire spire-server-0 -- \
+    /opt/spire/bin/spire-server entry create --dns tconfigd tratteria-system.svc \
+    -spiffeID spiffe://<your-trust-domain>/tconfigd \
+    -parentID spiffe://<your-trust-domain>/ns/spire/sa/spire-agent \
+    -selector k8s:ns:tratteria-system \
+    -selector k8s:sa:tconfigd-service-account
+```
+
+### 2. Clone the tconfig Repository:
+
+Follow the [instructions to clone the repository](#1-clone-the-repository) from the general installation guide.
+
+### 3. Configure tconfigd:
+
+Adjust the following fields in your `config.yaml` file to align with your SPIRE settings.
+
+```yaml
+spiffeEndpointSocket: "unix:///run/spire/sockets/agent.sock" # Path to the SPIFFE Workload API Unix socket, replace this if your installation settings differ.
+tconfigdSpiffeId: "spiffe://<trust-domain>/tconfigd" # SPIFFE ID used in the registration command above.
+```
+
+For configuring other fields, refer to the [general installation configuration guide above](#2-configure-tconfigd).
+
+### 4. Run the Installation Script:
+
+When installing tconfigd, add the `--no-spire` flag to the installation script to prevent reinstalling SPIRE in your environment. Similarly, use this flag when running the uninstallation script to keep SPIRE intact.
+
+```bash
+./install.sh --no-spire
+```
+
+### 5. Verify Installation:
+
+Follow the [verification steps](#4-verification) provided in the general installation guide.
+
+For a practical example of installing tconfigd on a microservice application with existing SPIRE setup, refer to the [example-application-with-existing-spire](https://github.com/tratteria/example-application-with-existing-spire).

installation/config.yaml

@@ -0,0 +1,5 @@
+enableTratInterception: "true" # Enable or disable incoming requests interception for TraT verification
+agentApiPort: "9040" # Port number for the tratteria agent API
+agentInterceptorPort: "9050" # Port number for the tratteria agent incoming requests interceptor
+spiffeEndpointSocket: "unix:///run/spire/sockets/agent.sock" # Don't change this if you are using tconfigd SPIRE installation
+tconfigdSpiffeId: "spiffe://tratteria.io/tconfigd" # Don't change this if you are using tconfigd SPIRE installation

installation/install.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+info() {
+    printf "\e[34m%s\n\e[0m" "$1"
+}
+
+error() {
+    printf "\e[31m%s\n\e[0m" "$1"
+}
+
+success() {
+    printf "\e[32m%s\n\e[0m" "$1"
+}
+
+usage() {
+    echo "Usage: $0 [OPTIONS]"
+    echo "Options:"
+    echo "  --no-spire    Skips the installation of SPIRE."
+    echo "  -h, --help    Displays this help message."
+}
+
+apply_k8s_config() {
+    kubectl apply -f $1 || { error "Failed to apply configuration for $1"; exit 1; }
+}
+
+validate_resource() {
+    resource_type=$1
+    resource_name=$2
+    if ! kubectl get ${resource_type} ${resource_name} -n tratteria-system > /dev/null 2>&1; then
+        error "${resource_type} ${resource_name} is not configured properly."
+        exit 1
+    fi
+}
+
+install_spire=true
+
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        --no-spire) install_spire=false ;;
+        -h|--help) usage; exit 0 ;;
+        *) echo "Unknown option: $1"; usage; exit 1 ;;
+    esac
+    shift
+done
+
+if kubectl get namespace tratteria-system > /dev/null 2>&1; then
+    error "tconfigd is already installed. Please uninstall the existing installation before proceeding."
+    exit 1
+fi
+
+if [ "$install_spire" = true ]; then
+    cd resources/spire
+    chmod +x install.sh
+    ./install.sh
+    cd ../../
+fi
+
+info "Installing tconfigd..."
+
+apply_k8s_config resources/namespaces.yaml
+apply_k8s_config resources/crds
+apply_k8s_config resources/service-account.yaml
+apply_k8s_config resources/role.yaml
+apply_k8s_config resources/rolebinding.yaml
+apply_k8s_config resources/deployment.yaml
+apply_k8s_config resources/service.yaml
+apply_k8s_config resources/tratteria-agent-injector-mutating-webhook.yaml
+
+kubectl create configmap config --from-file=config.yaml=config.yaml -n tratteria-system || {
+    error "Failed to create static configuration config map"
+    exit 1
+}
+
+info "Checking for the readiness of tconfigd..."
+attempts=0
+max_attempts=5
+while ! kubectl get pods -n tratteria-system | grep -q '1/1.*Running'; do
+    if [ $attempts -ge $max_attempts ]; then
+        error "Failed to verify the readiness of tconfigd."
+        exit 1
+    fi
+    attempts=$((attempts + 1))
+    info "Waiting for tconfigd to be ready..."
+    sleep 10
+done
+
+validate_resource namespace tratteria-system
+validate_resource crd trats.tratteria.io
+validate_resource crd tratteriaconfigs.tratteria.io
+validate_resource serviceaccount tconfigd-service-account
+validate_resource clusterrole tconfigd-service-account-role
+validate_resource clusterrolebinding tconfigd-service-account-binding
+validate_resource deployment tconfigd
+validate_resource service tconfigd
+validate_resource mutatingwebhookconfiguration tratteria-agent-injector
+
+success "tconfigd installation completed successfully."

kubernetes/tconfigd/deployment.yaml → installation/resources/deployment.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: tconfigd
-  namespace: tratteria
+  namespace: tratteria-system
 spec:
   replicas: 1
   selector:
@@ -12,17 +12,12 @@ spec:
     metadata:
       labels:
         app: tconfigd
-      namespace: tratteria
+      namespace: tratteria-system
     spec:
       dnsPolicy: ClusterFirstWithHostNet
       serviceAccountName: tconfigd-service-account
       containers:
-        - env:
-            - name: SPIFFE_ENDPOINT_SOCKET
-              value: unix:///run/spire/sockets/agent.sock
-            - name: TRATTERIA_SPIFFE_ID
-              value: spiffe://tratteria.io/tratteria
-          image: tconfigd
+        - image: tconfigd
           name: tconfigd
           args: ["/etc/tconfigd/config/config.yaml"]
           imagePullPolicy: Never

installation/resources/namespaces.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: List
+items:
+- apiVersion: v1
+  kind: Namespace
+  metadata:
+    name: tratteria-system

kubernetes/tconfigd/rolebinding.yaml → installation/resources/rolebinding.yaml

@@ -5,7 +5,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: tconfigd-service-account
-    namespace: tratteria
+    namespace: tratteria-system
 roleRef:
   kind: ClusterRole
   name: tconfigd-service-account-role

kubernetes/tconfigd/service-account.yaml → installation/resources/service-account.yaml

@@ -2,4 +2,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: tconfigd-service-account
-  namespace: tratteria
+  namespace: tratteria-system

kubernetes/tconfigd/service.yaml → installation/resources/service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: tconfigd
-  namespace: tratteria
+  namespace: tratteria-system
 spec:
   type: ClusterIP
   ports:

kubernetes/spire/deploy.sh → installation/resources/spire/install.sh

@@ -1,7 +1,6 @@
-# Applying Spire Configurations
-echo "\nApplying Spire Configurations...\n"
+echo "\nDeploying Spire...\n"
 
-kubectl create namespace spire
+kubectl apply -f namespaces.yaml
 
 # Create Server Bundle Configmap, Role & ClusterRoleBinding
 kubectl apply \
@@ -52,8 +51,8 @@ kubectl exec -n spire spire-server-0 -- \
     -node
 
 kubectl exec -n spire spire-server-0 -- \
-    /opt/spire/bin/spire-server entry create --dns tconfigd.tratteria.svc\
-    -spiffeID spiffe://tratteria.io/tratteria \
+    /opt/spire/bin/spire-server entry create --dns tconfigd.tratteria-system.svc\
+    -spiffeID spiffe://tratteria.io/tconfigd \
     -parentID spiffe://tratteria.io/ns/spire/sa/spire-agent \
-    -selector k8s:ns:tratteria \
+    -selector k8s:ns:tratteria-system \
     -selector k8s:sa:tconfigd-service-account

installation/resources/spire/namespaces.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: List
+items:
+- apiVersion: v1
+  kind: Namespace
+  metadata:
+    name: spire

kubernetes/tconfigd/tratteria-agent-injector-mutating-webhook.yaml → installation/resources/tratteria-agent-injector-mutating-webhook.yaml

@@ -5,11 +5,11 @@ metadata:
   labels:
     tratteria.io/webhook: "true"
 webhooks:
-  - name: tratteria-agent-injector.tratteria.com
+  - name: tratteria-agent-injector.tratteria.io
     clientConfig:
       service:
         name: tconfigd
-        namespace: tratteria
+        namespace: tratteria-system
         path: "/inject-tratteria-agents"
       caBundle: 
     rules:

installation/uninstall.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+info() {
+    printf "\e[34m%s\n\e[0m" "$1"
+}
+
+error() {
+    printf "\e[31m%s\n\e[0m" "$1"
+}
+
+success() {
+    printf "\e[32m%s\n\e[0m" "$1"
+}
+
+usage() {
+    echo "Usage: $0 [OPTIONS]"
+    echo "Options:"
+    echo "  --no-spire    Skips the uninstallation of SPIRE."
+    echo "  -h, --help    Displays this help message."
+}
+
+resource_exists() {
+    resource_type=$1
+    resource_name=$2
+    kubectl get ${resource_type} ${resource_name} > /dev/null 2>&1
+}
+
+delete_k8s_resource() {
+    resource_type=$1
+    resource_name=$2
+    if resource_exists ${resource_type} ${resource_name}; then
+        kubectl delete ${resource_type} ${resource_name} || { error "Failed to delete ${resource_type} ${resource_name}"; exit 1; }
+    else
+        info "${resource_type} ${resource_name} does not exist, skipping deletion."
+    fi
+}
+
+uninstall_spire=true
+
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        --no-spire) uninstall_spire=false ;;
+        -h|--help) usage; exit 0 ;;
+        *) echo "Unknown option: $1"; usage; exit 1 ;;
+    esac
+    shift
+done
+
+if [ "$uninstall_spire" = true ]; then
+    info "Uninstalling spire..."
+    cd resources/spire
+    chmod +x uninstall.sh
+    ./uninstall.sh
+    cd ../../
+fi
+
+info "Uninstalling tconfigd..."
+
+delete_k8s_resource namespace tratteria-system
+delete_k8s_resource clusterrole tconfigd-service-account-role
+delete_k8s_resource clusterrolebinding tconfigd-service-account-binding
+delete_k8s_resource mutatingwebhookconfiguration tratteria-agent-injector
+delete_k8s_resource crd trats.tratteria.io
+delete_k8s_resource crd tratteriaconfigs.tratteria.io
+
+success "tconfigd uninstalled successfully."