Update installation and repo readme

README.md

@@ -1,8 +1,15 @@
 # tconfigd
+
 tconfigd is a central daemon responsible for distributing configurations and trust bundles to Tratteria agents. It streamlines the management of transaction token verification across microservices systems.
 
-## Documentation
-For detailed documentation and setup guides please visit our official documentation page: [tratteria.io](https://tratteria.io)
+## Installation Resources and Instructions
+
+For the installation resources and instructions of the tconfigd service, please refer to the [installation subdirectory](https://github.com/tratteria/tconfigd/tree/main/installation).
+
+## Tratteria Documentation
+
+For detailed documentation and setup guides of tratteria please visit tratteria official documentation page: [tratteria.io](https://tratteria.io).
 
 ## Contribute to Tratteria
+
 Contributions to the project are welcome, including feature enhancements, bug fixes, and documentation improvements.

installation/README.md

@@ -1,13 +1,73 @@
 # Installation Guide for tconfigd
 
 ## Prerequisites
-- **Kubernetes Cluster**: Ensure your Kubernetes cluster is active and accessible.
-- **kubectl**: Confirm `kubectl` is installed and configured to interact with your Kubernetes cluster.
 
-## Installation Steps
+### Kubernetes Cluster:
+
+Ensure your Kubernetes cluster is active and accessible.
+
+### SPIRE:
+
+tconfigd requires [SPIRE](https://github.com/spiffe/spire) for its operation. Ensure SPIRE is installed before proceeding to install tconfigd.
+
+#### 1. Setup
+
+tconfigd utilizes [k8sbundle plugin](https://github.com/spiffe/spire/blob/main/doc/plugin_server_notifier_k8sbundle.md) to push CA certificates to its Kubernetes webhooks. Add the following configuration to your SPIRE server:
+
+```
+Notifier "k8sbundle" {
+    plugin_data {
+        webhook_label = "tratteria.io/webhook"
+    }
+}
+```
+
+For the above to operate, you need to add the following permissions to the SPIRE server ClusterRole:
+
+```yaml
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["get", "list", "patch", "watch"]
+```
+
+#### 2. Registering tconfigd
+
+Register tconfigd to your running SPIRE. tconfigd operates within the `tratteria-system` namespace and uses the `tconfigd-service-account` service account. Below is a sample registration command:
+
+```bash
+kubectl exec -n spire spire-server-0 -- \
+    /opt/spire/bin/spire-server entry create --dns tconfigd.tratteria-system.svc \
+    -spiffeID spiffe://[your-trust-domain]/tconfigd \
+    -parentID spiffe://[your-trust-domain]/ns/spire/sa/spire-agent \
+    -selector k8s:ns:tratteria-system \
+    -selector k8s:sa:tconfigd-service-account
+```
+
+Include the `--dns` option with the value `tconfigd.tratteria-system.svc` in the registration command; it is necessary for tconfigd operation.
+
+#### 2. Registering tratteria service
+
+Register [tratteria service](https://github.com/tratteria/tratteria), an open source Transaction Tokens (TraTs) Service, to your running SPIRE. tratteria operates within your application namespace and uses the `tratteria-service-account` service account. Below is a sample registration command:
+
+```bash
+kubectl exec -n spire spire-server-0 -- \
+    /opt/spire/bin/spire-server entry create \
+    -spiffeID spiffe://[your-trust-domain]/tratteria \
+    -parentID spiffe://[your-trust-domain]/ns/spire/sa/spire-agent \
+    -selector k8s:ns:[your-namespace] \
+    -selector k8s:sa:tratteria-service-account
+```
 
-tconfigd requires SPIRE for its operation. If your infrastructure already has SPIRE installed, follow the [instructions for environments with existing SPIRE](#environment-with-existing-spire-installation) to install tconfigd. If SPIRE is not present, the steps below will include its installation as part of the tconfigd setup.
+#### 3. Registering Microservices
 
+Ensure all microservice that need to verify trats are registered to your running SPIRE.
+
+<br>
+
+For a reference implementation on setting up SPIRE for tconfigd, please check the example application's [spire installation](https://github.com/tratteria/example-application/tree/main/deploy/spire).
+
+
+## Installation Steps
 
 ### 1. Clone the Repository
 Clone the tconfigd repository and navigate to the installation directory:
@@ -23,81 +83,42 @@ cd tconfigd/installation
 Alternatively, perform a shallow clone of just the installation subdirectory.
 
 
-### 2. Configure tconfigd
+### 3. Configure tconfigd
 
 Update the `config.yaml` file to match your specific deployment settings:
 
 - **Configure the settings as described below:**
   - `enableTratInterception`: "`true`" 
-    - **Description**: Set to "`true`" to enable interception of incoming requests for TraT verification. Set to "`false`" if using the [delegation method](https://github.com/tratteria/tratteria-agent) for TraT verification.
-  - `agentApiPort`: "`9040`" 
-    - **Description**: The port number for the tratteria agent API. Do not change this unless you have some specific need.
+    - **Description**: Set to "`true`" to enable interception of incoming requests for TraT verification. Set to "`false`" if using the [delegation method](https://github.com/tratteria/tratteria-agent?tab=readme-ov-file#operating-modes) for TraT verification.
+  - `spireAgentHostDir`: `"/run/spire/sockets"`
+    - **Description**: Host directory where the SPIRE agent's socket resides. Update this value if it is different in your SPIRE installation.
+  - `tratteriaSpiffeId`: `"spiffe://[your-trust-domain]/tratteria"`
+    - **Description**: SPIFFE ID used to register [tratteria service](https://github.com/tratteria/tratteria), an open source Transaction Tokens (TraTs) Service.
+  - `agentHttpsApiPort`: "`9040`" 
+    - **Description**: Port number for the tratteria agent HTTPS APIs. Do not change this unless you have some specific need.
+  - `agentHttpApiPort`: "`9030`" 
+    - **Description**: Port number for the tratteria agent HTTP APIs. Do not change this unless you have some specific need.
   - `agentInterceptorPort`: "`9050`" 
     - **Description**: The port number for the tratteria agent's incoming requests interceptor. Do not change this unless you have some specific need.
-  - `spiffeEndpointSocket`: "`unix:///run/spire/sockets/agent.sock`" 
-    - **Description**: Path to the SPIFFE Workload API Unix socket. Do not change this if you are using the tconfigd SPIRE installation.
-  - `tconfigdSpiffeId`: "`spiffe://tratteria.io/tconfigd`" 
-    - **Description**: SPIFFE ID for tconfigd. Do not change this if you are using the tconfigd SPIRE installation.
 
 
-### 3. Run the Installation Script
+### 4. Run the Installation Script
 
-Deploy the tconfigd to your Kubernetes cluster by running the installation script:
+Deploy tconfigd to your Kubernetes cluster by running the installation script:
 
 ```bash
 ./install.sh
 ```
 
-### 4. Verification
+### 5. Verification
 
 Verify the installation by checking the status of the tconfigd pod in the `tratteria-system` namespace. Use the following command to view the pod:
 
 ```bash
 kubectl get pods -n tratteria-system
 ```
 
-For a practical example of installing tconfigd on a microservice application, refer to the [example-application](https://github.com/tratteria/example-application).
-
-## Environment with Existing SPIRE Installation
-If you already have SPIRE installed, follow these steps to install tconfigd:
-
-### 1. Register tconfigd with your running SPIRE:
-Below is a sample registartion command:
-
-```bash
-kubectl exec -n spire spire-server-0 -- \
-    /opt/spire/bin/spire-server entry create --dns tconfigd tratteria-system.svc \
-    -spiffeID spiffe://<your-trust-domain>/tconfigd \
-    -parentID spiffe://<your-trust-domain>/ns/spire/sa/spire-agent \
-    -selector k8s:ns:tratteria-system \
-    -selector k8s:sa:tconfigd-service-account
-```
-
-### 2. Clone the tconfig Repository:
-
-Follow the [instructions to clone the repository](#1-clone-the-repository) from the general installation guide.
-
-### 3. Configure tconfigd:
-
-Adjust the following fields in your `config.yaml` file to align with your SPIRE settings.
-
-```yaml
-spiffeEndpointSocket: "unix:///run/spire/sockets/agent.sock" # Path to the SPIFFE Workload API Unix socket, replace this if your installation settings differ.
-tconfigdSpiffeId: "spiffe://<trust-domain>/tconfigd" # SPIFFE ID used in the registration command above.
-```
-
-For configuring other fields, refer to the [general installation configuration guide above](#2-configure-tconfigd).
-
-### 4. Run the Installation Script:
-
-When installing tconfigd, add the `--no-spire` flag to the installation script to prevent reinstalling SPIRE in your environment. Similarly, use this flag when running the uninstallation script to keep SPIRE intact.
-
-```bash
-./install.sh --no-spire
-```
-
-### 5. Verify Installation:
+<br>
 
-Follow the [verification steps](#4-verification) provided in the general installation guide.
+For a practical example of installing tconfigd on a microservice application, refer to the example-application's [deployment resources](https://github.com/tratteria/example-application/tree/main/deploy).
 
-For a practical example of installing tconfigd on a microservice application with existing SPIRE setup, refer to the [example-application-with-existing-spire](https://github.com/tratteria/example-application-with-existing-spire).

installation/config.yaml

@@ -1,6 +1,6 @@
 enableTratInterception: "true" # Enable or disable incoming requests interception for TraT verification
+spireAgentHostDir: "/run/spire/sockets" # Host directory where the SPIRE agent's socket resides; update this if different in your environment
+tratteriaSpiffeId: "spiffe://[your-trust-domain]/tratteria" # Replace "trust-domain" with your trust domain
 agentHttpsApiPort: "9040" # Port number for the tratteria agent HTTPS APIs
 agentHttpApiPort: "9030" # Port number for the tratteria agent HTTP APIs
 agentInterceptorPort: "9050" # Port number for the tratteria agent incoming requests interceptor
-spiffeEndpointSocket: "unix:///run/spire/sockets/agent.sock" # Don't change this if you are using tconfigd SPIRE installation
-tratteriaSpiffeId: "spiffe://<trust-domain>/tratteria" # Replace "<trust-domain>" with your trust domain

installation/install.sh

@@ -12,13 +12,6 @@ success() {
     printf "\e[32m%s\n\e[0m" "$1"
 }
 
-usage() {
-    echo "Usage: $0 [OPTIONS]"
-    echo "Options:"
-    echo "  --no-spire    Skips the installation of SPIRE."
-    echo "  -h, --help    Displays this help message."
-}
-
 apply_k8s_config() {
     kubectl apply -f $1 || { error "Failed to apply configuration for $1"; exit 1; }
 }
@@ -32,29 +25,11 @@ validate_resource() {
     fi
 }
 
-install_spire=true
-
-while [[ "$#" -gt 0 ]]; do
-    case $1 in
-        --no-spire) install_spire=false ;;
-        -h|--help) usage; exit 0 ;;
-        *) echo "Unknown option: $1"; usage; exit 1 ;;
-    esac
-    shift
-done
-
 if kubectl get namespace tratteria-system > /dev/null 2>&1; then
     error "tconfigd is already installed. Please uninstall the existing installation before proceeding."
     exit 1
 fi
 
-if [ "$install_spire" = true ]; then
-    cd resources/spire
-    chmod +x install.sh
-    ./install.sh
-    cd ../../
-fi
-
 info "Installing tconfigd..."
 
 apply_k8s_config resources/namespaces.yaml

installation/resources/deployment.yaml

@@ -21,6 +21,9 @@ spec:
           name: tconfigd
           args: ["/etc/tconfigd/config/config.yaml"]
           imagePullPolicy: Never
+          env:
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix:///run/spire/sockets/agent.sock
           ports:
             - containerPort: 8443
               protocol: TCP
@@ -40,5 +43,5 @@ spec:
             name: config
         - name: spire-agent-socket
           hostPath:
-            path: /run/spire/sockets
+            path: /run/spire/sockets # Host directory where the SPIRE agent's socket resides; update this if different in your environment
             type: Directory