Set up an API Signer to run on Kubernetes.
Here's the general flow:
- First, provision API Signer on a local machine using the Fordefi web console.
- Activate the API Signer.
- Prepare the cluster for the Helm deployment by setting the necessary API Signer state and use Helm Chart to deploy the API Signer to the remote cluster.
- Provision API users by registering them using API Signer.
Provision API Signer
-
Create an API Signer in the Fordefi web console.
-
Log in to Fordefi's Docker repository:
docker login -ufordefi fordefi.jfrog.io -
Run the API Signer on a local machine, mounting a local directory for storing its credentials:
docker run -v /path/to/api-signer-storage:/storage \ -it fordefi.jfrog.io/fordefi/api-signer:latestOutput:
======================================== ========= API-Signer Main Menu ========= ======================================== Use the arrow keys to navigate: β β β β ? API-Signer is not provisioned. What do you want to do?: βΈ Provision signer Configure signer Exit -
When prompted, choose
Provision signerand follow the on-screen instructions.
Move on to Activate the API Signer to ensure that the API Signer is part of your organization.
Prepare the cluster for Helm Chart deployment
-
Create a namespace:
kubectl create namespace fordefi-api-signer -
Store the image pull secret in the namespace:
kubectl create secret docker-registry -n fordefi-api-signer fordefi-reg-creds \ --docker-server=fordefi.jfrog.io \ --docker-username=fordefi --docker-password=<password> -
Store the API Signer secrets in the namespace:
kubectl create secret generic -n fordefi-api-signer \ --from-file credentials=/path/to/api-signer-storage/filedb/CREDENTIALS.json \ --from-file secrets=/path/to/api-signer-storage/filedb/SECRETS.json \ api-signer-secrets -
Add the Helm repository:
helm repo add fordefi-helm \ https://fordefi.jfrog.io/artifactory/api/helm/fordefi-helm \ --username fordefi --password <password> -
Update Helm repositories:
helm repo update -
Install the Helm chart:
helm install \ --namespace fordefi-api-signer \ fordefi-api-signer \ fordefi-helm/api-signerOutput:
NAME: api-signer-1697478488 LAST DEPLOYED: Mon Oct 16 20:48:10 2023 NAMESPACE: fordefi-api-signer STATUS: deployed REVISION: 1 TEST SUITE: None -
Check that the deployment was successful:
kubectl get pod -n fordefi-api-signerOutput:
NAME READY STATUS RESTARTS AGE api-signer-1697478488-54b4dc44c6-njhw9 1/1 Running 0 62s -
Once you have completed all the steps, ensure that you delete the files that were created by API Signer from your local machine:
rm -rf /path/to/api-signer-storage
Provision new API users
Create an API user in the web console and follow the pairing instructions. Then, to upload the public key to API Signer, run the following command and continue as instructed.
kubectl exec -it $(kubectl get pods -n fordefi-api-signer | grep api-signer | awk '{print $1}'| head -n 1) -n fordefi-api-signer -- ./api-signer