Deploy API Signer to Kubernetes Using Helm Chart

Set up an API Signer to run on Kubernetes.

Here's the general flow:

  • First, provision API Signer on a local machine using the Fordefi web console.
  • Activate the API Signer.
  • Prepare the cluster for the Helm deployment by setting the necessary API Signer state and use Helm Chart to deploy the API Signer to the remote cluster.
  • Provision API users by registering them using API Signer.

Provision API Signer

  1. Create an API Signer in the Fordefi web console.

  2. Log in to Fordefi's Docker repository:

    docker login -ufordefi fordefi.jfrog.io
    
  3. Run the API Signer on a local machine, mounting a local directory for storing its credentials:

    docker run -v /path/to/api-signer-storage:/storage \
    		-it fordefi.jfrog.io/fordefi/api-signer:latest
    

    Output:

    ========================================
    ========= API-Signer Main Menu =========
    ========================================
    
    Use the arrow keys to navigate: ↓ ↑ → ← 
    ? API-Signer is not provisioned. What do you want to do?: 
      ▸ Provision signer
        Configure signer
        Exit
    
  4. When prompted, choose Provision signer and follow the on-screen instructions.

Move on to Activate the API Signer to ensure that the API Signer is part of your organization.

Prepare the cluster for Helm Chart deployment

  1. Create a namespace:

    kubectl create namespace fordefi-api-signer
    
  2. Store the image pull secret in the namespace:

    kubectl create secret docker-registry -n fordefi-api-signer fordefi-reg-creds \ 
    		--docker-server=fordefi.jfrog.io \
    		--docker-username=fordefi --docker-password=<password>
    
  3. Store the API Signer secrets in the namespace:

    kubectl create secret generic -n fordefi-api-signer \
    		--from-file credentials=/path/to/api-signer-storage/filedb/CREDENTIALS.json \
    		--from-file secrets=/path/to/api-signer-storage/filedb/SECRETS.json \
    		api-signer-secrets
    
  4. Add the Helm repository:

    helm repo add fordefi-helm \
    		https://fordefi.jfrog.io/artifactory/api/helm/fordefi-helm \
    		--username fordefi --password <password>
    
  5. Update Helm repositories:

    helm repo update
    
  6. Install the Helm chart:

    helm install \
    	--namespace fordefi-api-signer \
    	fordefi-api-signer \
    	fordefi-helm/api-signer
    

    Output:

    NAME: api-signer-1697478488
    LAST DEPLOYED: Mon Oct 16 20:48:10 2023
    NAMESPACE: fordefi-api-signer
    STATUS: deployed
    REVISION: 1
    TEST SUITE: None
    
  7. Check that the deployment was successful:

    kubectl get pod -n fordefi-api-signer
    

    Output:

    NAME                                     READY   STATUS    RESTARTS   AGE
    api-signer-1697478488-54b4dc44c6-njhw9   1/1     Running   0          62s
    
  8. Once you have completed all the steps, ensure that you delete the files that were created by API Signer from your local machine:

    rm -rf /path/to/api-signer-storage
    

Provision new API users

Create an API user in the web console and follow the pairing instructions. Then, to upload the public key to API Signer, run the following command and continue as instructed.

kubectl exec -it $(kubectl get pods -n fordefi-api-signer | grep api-signer | awk '{print $1}'| head -n 1) -n fordefi-api-signer -- ./api-signer