Developer Guide

Deploy API Signer to Kubernetes Using Helm Chart

Set up an API Signer to run on Kubernetes.

Here's the general flow:

  • First, provision API Signer on a local machine using the Fordefi web console.
  • Activate the API Signer.
  • Prepare the cluster for the Helm deployment by setting the necessary API Signer state and use Helm Chart to deploy the API Signer to the remote cluster.
  • Provision API users by registering them using API Signer.

Provision API Signer

  1. Create an API Signer in the Fordefi web console.

  2. Log in to Fordefi's Docker repository:

    docker login -ufordefi fordefi.jfrog.io

  3. Run the API Signer on a local machine, mounting a local directory for storing its credentials:

    docker run -v /path/to/api-signer-storage:/storage \
		-it fordefi.jfrog.io/fordefi/api-signer:latest

    Output:

    ========================================
========= API-Signer Main Menu =========
========================================

Use the arrow keys to navigate: ↓ ↑ → ← 
? API-Signer is not provisioned. What do you want to do?: 
  ▸ Provision signer
    Configure signer
    Exit

  4. When prompted, choose Provision signer and follow the on-screen instructions.

Move on to Activate the API Signer to ensure that the API Signer is part of your organization.

Prepare the cluster for Helm Chart deployment

  1. Create a namespace:

    kubectl create namespace fordefi-api-signer

  2. Store the image pull secret in the namespace:

    kubectl create secret docker-registry -n fordefi-api-signer fordefi-reg-creds \ 
		--docker-server=fordefi.jfrog.io \
		--docker-username=fordefi --docker-password=<password>

  3. Store the API Signer secrets in the namespace:

    kubectl create secret generic -n fordefi-api-signer \
		--from-file credentials=/path/to/api-signer-storage/filedb/CREDENTIALS.json \
		--from-file secrets=/path/to/api-signer-storage/filedb/SECRETS.json \
		api-signer-secrets

  4. Add the Helm repository:

    helm repo add fordefi-helm \
		https://fordefi.jfrog.io/artifactory/api/helm/fordefi-helm \
		--username fordefi --password <password>

  5. Update Helm repositories:

    helm repo update

  6. Install the Helm chart:

    helm install \
	--namespace fordefi-api-signer \
	fordefi-api-signer \
	fordefi-helm/api-signer

    Output:

    NAME: api-signer-1697478488
LAST DEPLOYED: Mon Oct 16 20:48:10 2023
NAMESPACE: fordefi-api-signer
STATUS: deployed
REVISION: 1
TEST SUITE: None

  7. Check that the deployment was successful:

    kubectl get pod -n fordefi-api-signer

    Output:

    NAME                                     READY   STATUS    RESTARTS   AGE
api-signer-1697478488-54b4dc44c6-njhw9   1/1     Running   0          62s

  8. Once you have completed all the steps, ensure that you delete the files that were created by API Signer from your local machine:

    rm -rf /path/to/api-signer-storage

Provision new API users

Create an API user in the web console and follow the pairing instructions. Then, to upload the public key to API Signer, run the following command and continue as instructed.

kubectl exec -it $(kubectl get pods -n fordefi-api-signer | grep api-signer | awk '{print $1}'| head -n 1) -n fordefi-api-signer -- ./api-signer