Stand up SPIFFE/SPIRE in the demo Kubernetes namespace, migrate a representative set of services to consume SPIFFE-issued identities, and capture operational runbooks. #620

New issue

Closed

opened 2026-03-28 04:26:31 +00:00 by mfreeman451 · 4 comments

mfreeman451 commented

2026-03-28 04:26:31 +00:00

Owner

Imported from GitHub.

Original GitHub issue: #1892
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/1892
Original created: 2025-10-25T21:39:44Z

No description provided.

Imported from GitHub. Original GitHub issue: #1892 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/1892 Original created: 2025-10-25T21:39:44Z --- _No description provided._

mfreeman451 commented

2026-03-28 04:26:31 +00:00

Author

Owner

Imported GitHub comment.

Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/1892#issuecomment-3447802532
Original created: 2025-10-25T22:03:03Z

Added a kustomize target for the SPIRE namespace and pulled it into the demo base so we can deploy server/agent alongside the rest of the stack.
Trimmed the server config to run against Postgres without the cert-manager upstream authority for now; README now calls out the manual database bootstrap until we automate it with CNPG roles.

Imported GitHub comment. Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/1892#issuecomment-3447802532 Original created: 2025-10-25T22:03:03Z --- - Added a kustomize target for the SPIRE namespace and pulled it into the demo base so we can deploy server/agent alongside the rest of the stack. - Trimmed the server config to run against Postgres without the cert-manager upstream authority for now; README now calls out the manual database bootstrap until we automate it with CNPG roles.

mfreeman451 commented

2026-03-28 04:26:31 +00:00

Author

Owner

Imported GitHub comment.

Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/1892#issuecomment-3447829113
Original created: 2025-10-25T22:24:47Z

CNPG cluster now provisions the spire database/user via managed roles, driven by the new k8s/cnpg/spire-db-credentials.yaml secret. Applied manifests stay idempotent—no manual psql needed.
SPIRE deployment docs updated to reference the declarative workflow; kubectl apply -k k8s/demo/base/spire assumes the CNPG resources are in place.

Imported GitHub comment. Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/1892#issuecomment-3447829113 Original created: 2025-10-25T22:24:47Z --- - CNPG cluster now provisions the `spire` database/user via managed roles, driven by the new `k8s/cnpg/spire-db-credentials.yaml` secret. Applied manifests stay idempotent—no manual psql needed. - SPIRE deployment docs updated to reference the declarative workflow; `kubectl apply -k k8s/demo/base/spire` assumes the CNPG resources are in place.

mfreeman451 commented

2026-03-28 04:26:31 +00:00

Author

Owner

Imported GitHub comment.

Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/1892#issuecomment-3447841599
Original created: 2025-10-25T22:52:19Z

Added a pg-secret-sync job so the SPIRE namespace automatically mirrors the CNPG-managed database credentials; the static secret manifest is gone.
Extended the gRPC security plumbing to understand server_spiffe_id (and parse trust domains), laying the groundwork for running core in SPIFFE mode once the workloads are registered.

Imported GitHub comment. Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/1892#issuecomment-3447841599 Original created: 2025-10-25T22:52:19Z --- - Added a `pg-secret-sync` job so the SPIRE namespace automatically mirrors the CNPG-managed database credentials; the static secret manifest is gone. - Extended the gRPC security plumbing to understand `server_spiffe_id` (and parse trust domains), laying the groundwork for running core in SPIFFE mode once the workloads are registered.

mfreeman451 commented

2026-03-28 04:26:31 +00:00

Author

Owner

Imported GitHub comment.

Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/1892#issuecomment-3447851887
Original created: 2025-10-25T23:04:11Z

Core and poller deployments now mount the SPIRE workload socket, run under dedicated service accounts, and use SPIFFE for their gRPC link.
SPIRE seeds the required registration entries via a post-start hook, while the demo config flips core↔poller security to spiffe and swaps probes to TCP so they stay healthy in the new mode.

Imported GitHub comment. Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/1892#issuecomment-3447851887 Original created: 2025-10-25T23:04:11Z --- - Core and poller deployments now mount the SPIRE workload socket, run under dedicated service accounts, and use SPIFFE for their gRPC link. - SPIRE seeds the required registration entries via a post-start hook, while the demo config flips core↔poller security to spiffe and swaps probes to TCP so they stay healthy in the new mode.