Deploy API Signer to Kubernetes Using Helm Chart

Copy

• Copy for LLM

  Copy page as Markdown for LLMs
• View as Markdown

  Open this page as Markdown
• Open in ChatGPT

  Get insights from ChatGPT
• Open in Claude

  Get insights from Claude

Set up an API Signer to run on Kubernetes.

Here's the general flow:

• First, provision API Signer on a local machine using the Fordefi web console.
• Activate the API Signer.
• Prepare the cluster for the Helm deployment by setting the necessary API Signer state and use Helm Chart to deploy the API Signer to the remote cluster.
• Provision API users by registering them using API Signer.

Provision API Signer

1. Create an API Signer in the Fordefi web console.

2. Log in to Fordefi's Docker repository:

   docker login -ufordefi fordefi.jfrog.io

3. Run the API Signer on a local machine, mounting a local directory for storing its credentials:

   docker run -v /path/to/api-signer-storage:/storage \
   		-it fordefi.jfrog.io/fordefi/api-signer:latest

   Output:

   ========================================
   ========= API-Signer Main Menu =========
   ========================================
   
   Use the arrow keys to navigate: ↓ ↑ → ← 
   ? API-Signer is not provisioned. What do you want to do?: 
     ▸ Provision signer
       Configure signer
       Exit

4. When prompted, choose Provision signer and follow the on-screen instructions.

Move on to Activate the API Signer to ensure that the API Signer is part of your organization.

Prepare the cluster for Helm Chart deployment

1. Create a namespace:

   kubectl create namespace fordefi-api-signer

2. Store the image pull secret in the namespace:

   kubectl create secret docker-registry -n fordefi-api-signer fordefi-reg-creds \ 
   		--docker-server=fordefi.jfrog.io \
   		--docker-username=fordefi --docker-password=<password>

3. Store the API Signer secrets in the namespace:

   kubectl create secret generic -n fordefi-api-signer \
   		--from-file credentials=/path/to/api-signer-storage/filedb/CREDENTIALS.json \
   		--from-file secrets=/path/to/api-signer-storage/filedb/SECRETS.json \
   		api-signer-secrets

4. Add the Helm repository:

   helm repo add fordefi-helm \
   		https://fordefi.jfrog.io/artifactory/api/helm/fordefi-helm \
   		--username fordefi --password <password>

5. Update Helm repositories:

   helm repo update

6. Install the Helm chart:

   helm install \
   	--namespace fordefi-api-signer \
   	fordefi-api-signer \
   	fordefi-helm/api-signer

   Output:

   NAME: api-signer-1697478488
   LAST DEPLOYED: Mon Oct 16 20:48:10 2023
   NAMESPACE: fordefi-api-signer
   STATUS: deployed
   REVISION: 1
   TEST SUITE: None

7. Check that the deployment was successful:

   kubectl get pod -n fordefi-api-signer

   Output:

   NAME                                     READY   STATUS    RESTARTS   AGE
   api-signer-1697478488-54b4dc44c6-njhw9   1/1     Running   0          62s

8. Once you have completed all the steps, ensure that you delete the files that were created by API Signer from your local machine:

   rm -rf /path/to/api-signer-storage

Provision new API users

Create an API user in the web console and follow the pairing instructions. Then, to upload the public key to API Signer, run the following command and continue as instructed.

kubectl exec -it $(kubectl get pods -n fordefi-api-signer | grep api-signer | awk '{print $1}'| head -n 1) -n fordefi-api-signer -- ./api-signer