v1.10.4 Latest
SPIFFE Overview Concepts Community Presentations Get Involved
SPIRE About Concepts Use Cases Comparisons Case Studies
Try Quickstart for Linux and MacOS X Quickstart for Kubernetes Quickstart for Docker Compose
Plan Scaling SPIRE Extending
Deploy Getting SPIRE Install Server Install Agent Configuring Registering workloads Working with SVIDs SPIFFE Library Usage Examples SPIRE Agent Configuration Reference SPIRE Server Configuration Reference SPIRE Telemetry Configuration
Maintain Upgrade/Downgrade SPIRE
Helm Charts Hardened About Installation Upgrading Service Selection Recommendations Exposing Services Identifiers Namespaces
Advanced Federation Local Mirrors
Integrate SPIRE Securing Microservices Using Envoy with SPIRE SPIRE with Envoy and X.509-SVIDs SPIRE with Envoy and JWT-SVIDs Spire with OPA + Envoy + X.509-SVIDs Spire with OPA + Envoy + JWT-SVIDs
SVID Authentication AWS OIDC Authentication Vault Integration Example
SPIRE Architecture Nested SPIRE Example SPIRE Federation Example

Local Mirrors

How to setup a local mirror for SPIRE images

Identify Containers needing mirroring

Run:

helm template spire --repo https://spiffe.github.io/helm-charts-hardened/ -f your-values.yaml | yq e -rN \
 '[.spec, .spec.template.spec] | flatten(1) | .[]| [.containers, .initContainers] | flatten(1) | .[].image' - \
 | sort -u

Example output:

cgr.dev/chainguard/bash:latest
cgr.dev/chainguard/kubectl:latest
cgr.dev/chainguard/wait-for-it:latest-20230113
ghcr.io/spiffe/spiffe-csi-driver:0.2.3
ghcr.io/spiffe/spire-agent:1.6.3
ghcr.io/spiffe/spire-controller-manager:0.2.2
ghcr.io/spiffe/spire-server:1.6.3
registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.2

Mirror Containers

Copy each container to your local repository, replacing the server name but keeping the paths.

This is easiest to do with skopeo or crane, but can be done with docker as well.

Mirror the Charts to the Registry

Pull down SPIRE charts

helm pull spire-crds --repo https://spiffe.github.io/helm-charts-hardened/
helm pull spire --repo https://spiffe.github.io/helm-charts-hardened/

Push up charts to registry

helm push spire-crds*.tgz oci://<your registry url>/helm-charts-hardened/spire-crds
helm push spire-0*.tgz oci://<your registry url>/helm-charts-hardened/spire

Configuration

Update the repo values to point at your local mirror:

your-values.yaml snippet:

global:
  spire:
    image:
      registry: "<your registry url here>"

Installation

Install using the mirrored charts:

helm upgrade --install --create-namespace -n spire-mgmt spire-crds \
  oci://<your registry url>/helm-charts/spire-crds

helm upgrade --install -n spire-mgmt spire spire \
 --repo https://spiffe.github.io/helm-charts-hardened/ \
 -f your-values.yaml