While running through the envoy JWT tutorial I hit the following error
in the envoy-jwt-auth-helper:
/opt/helper/envoy-jwt-auth-helper: /lib/x86_64-linux-gnu/libc.so.6:
version GLIBC_2.34' not found (required by /opt/helper/envoy-jwt-auth-helper)
The auth helper image builds with golang:latest (currently based on
debian bookworm), then copies to a debian buster.
This change fixes the issue by syncing the build and production stage
images.
Fixes: #136
Signed-off-by: Mark Goddard <mark@cofide.io>
SPIRE is moving away from the alpine Docker release images in favor of
scratch images that contain only the release binary to minimize the size
of the images and include only the software that is necessary to run in
the container.
Signed-off-by: Ryan Turner <turner@uber.com>
* Remove "ps"-based OIDC Discovery Provider readiness probes
We are migrating away from the alpine images towards the scratch images
being the default. In a scratch image, we don't have the "ps" binary.
There is a bug in the OIDC Discovery Provider that prevents the HTTP
liveness/readiness endpoint from being available outside the container
(see spiffe#spire/3629), so just remove the readiness probes for now.
Turn on the health check endpoint to the OIDC Discovery Provider so that
probes can be added later on once the issue is resolved.
Also update some old configs that are no longer correct to get the
examples to run properly.
Signed-off-by: Ryan Turner <turner@uber.com>
Update all tutorials to use SPIRE v1.5.0. Remove usage of deprecated
Server config parameter `default_svid_ttl` in favor of
`default_x509_svid_ttl` and `default_jwt_svid_ttl`.
Signed-off-by: Ryan Turner <turner@uber.com>
The noop NodeResolver has been removed in 1.0.0.
See:
- https://github.com/spiffe/spire/pull/2189
Signed-off-by: Wolodja Wentland <wolodja.wentland@control-plane.io>
The `k8s_sat` and `k8s_psat` NodeAttestor configurable
`service_account_whitelist` has been removed in the 1.1.0 release
after having been deprecated in favour of `service_account_allow_list`
in 1.0.0.
See:
- https://github.com/spiffe/spire/pull/2253
- https://github.com/spiffe/spire/pull/2543
Signed-off-by: Wolodja Wentland <wolodja.wentland@control-plane.io>
* Adds SPIRE-Vault OIDC tutorial
Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com>
* Adds /keys path to OIDC ingress
Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com>
* Adds JWKS method note
Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com>
* Addresses comments by @sanderson042
Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com>
* Address more comments by @sanderson042
Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com>
* Addresses more comments by @sanderson042
Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com>
* More fixes
Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com>
* Fixes some typos
Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com>
* Removes the RBAC policy from Envoy-x509 backend envoy config file and added as an option to extend the tutorial
Signed-off-by: Andres Gomez Coronel <andresgomezcoronel@gmail.com>
* Apply suggestions from code review
Co-authored-by: sanderson042 <steve.anderson@hpe.com>
Signed-off-by: Andres Gomez Coronel <andresgomezcoronel@gmail.com>
* Remove unnecesary spaces inside console blocks. Added details about symbank demo app to make the RBAC policy clearer.
Signed-off-by: Andres Gomez Coronel <andresgomezcoronel@gmail.com>
* Improved RBAC sections based on sanderson042 suggestions
Signed-off-by: Andres Gomez Coronel <andresgomezcoronel@gmail.com>
* Added some last improvements base on sanderson042 review
Signed-off-by: Andres Gomez Coronel <andresgomezcoronel@gmail.com>
Co-authored-by: sanderson042 <steve.anderson@hpe.com>
Mark Goddard