Connect Reference

This repository contains scripts and configuration to create reference deployments of Connect workload clusters.

Access requirements

In order to run these reference deployments, you will need the following information:

• Access to a Cofide Connect API
  • Connect API URL
  • Connect trust domain
  • Connect bundle host
• Connect API login
  • OIDC authorization domain and client ID
• AWS credentials
  • Authorized for access to Cofide Elastic Container Registry (ECR) repositories

The scripts use the aws CLI to obtain credentials for Docker and Helm to access ECR.

Software Requirements

You will also need the following software installed on the machine running the deployments:

• aws CLI
• curl
• docker
• Helm
• kubectl
• uuidgen

If running the local Kind-based deployments you will also need:

• kind

Configuration

Create a config.env file from the example:

cp config.env.example config.env

Edit config.env to populate the variables for your Connect API.

EKS

NOTE: The provided Terraform configuration for creating an EKS cluster uses a module that is currently private to Cofide. It is possible to use an existing EKS cluster.

Skip this section if not running scripts that execute against AWS EKS.

Create a terraform.tfvars file from the example:

cp terraform/eks-clusters/terraform.tfvars.example terraform/eks-clusters/terraform.tfvars

Edit terraform/eks-clusters/terraform.tfvars to populate the variables for your EKS cluster.

Create an eks.env file from the example:

cp eks.env.example eks.env

Edit eks.env to populate the variables for your EKS cluster.

Download cofidectl and Connect plugin

Run this script to download cofidectl and the Connect plugin:

./get-cofidectl.sh

Prerequisites

Run this script before any others to perform checks and logins:

./prerequisites.sh

Login

If prerequisites have already been installed, run this script to just do the logins:

./login.sh

Single trust zone with cofidectl

Run this script to deploy a single trust zone in a Kind cluster using cofidectl with OSS SPIRE. Validates the deployment with ping-pong.

./single-trust-zone-cofidectl.sh

A corresponding script that uses cofidectl and terraform-provider-cofide with Cofide SPIRE can be run using:

./single-trust-zone-cofidectl-tf.sh

Federated trust zones with cofidectl

Run this script to deploy two federated trust zones in Kind clusters using cofidectl with Cofide SPIRE. Validates the deployment with federated ping-pong.

./federated-cofidectl.sh

A corresponding script that uses cofidectl and terraform-provider-cofide, with the Cofide trust zone server can be run using:

./federated-cofidectl-tf.sh

Multi-mesh with cofidectl

Run this script to deploy two federated trust zones in Kind clusters with Istio using cofidectl with Cofide SPIRE. An Istio gateway and a Cofide Federated Service are created in one of the clusters. Validates the deployment with multi-mesh ping-pong.

./multi-mesh-cofidectl.sh

Single trust zone with cofidectl on EKS

This script requires an AWS EKS cluster. Use your own EKS cluster or use the Terraform configration in terraform/eks-clusters to provision one.

Run this script to deploy a single trust zone in an existing AWS EKS cluster using cofidectl. Validates the deployment with ping-pong.

./single-trust-zone-cofidectl-eks.sh

Federated trust zones with Helm on EKS

This script requires two AWS EKS clusters. Use your own EKS clusters or use the Terraform configration in terraform/eks-clusters to provision them.

Run this script to deploy two federated trust zones in existing AWS EKS clusters using cofidectl to generate Helm values with the Cofide Terraform provider and Cofide Trust Zone Server. Validates the deployment with ping-pong.

./federated-helm-tf-eks.sh