安装指南

系统要求

操作系统

系统

架构

支持状态

Linux

amd64, arm64

完全支持

macOS

amd64, arm64

完全支持

Windows

amd64

实验性支持

硬件要求

SPIRE Server:

  • CPU: 2+ 核心

  • 内存: 2GB+

  • 磁盘: 根据注册条目数量

SPIRE Agent:

  • CPU: 1+ 核心

  • 内存: 512MB+

  • 磁盘: 100MB+

Linux 安装

使用预编译包

# 设置版本
SPIRE_VERSION="1.9.0"

# 下载
curl -LO "https://github.com/spiffe/spire/releases/download/v${SPIRE_VERSION}/spire-${SPIRE_VERSION}-linux-amd64-musl.tar.gz"

# 验证校验和
curl -LO "https://github.com/spiffe/spire/releases/download/v${SPIRE_VERSION}/spire-${SPIRE_VERSION}-linux-amd64-musl.tar.gz.sha256sum"
sha256sum -c "spire-${SPIRE_VERSION}-linux-amd64-musl.tar.gz.sha256sum"

# 解压
tar -xzf "spire-${SPIRE_VERSION}-linux-amd64-musl.tar.gz"

# 安装到 /opt
sudo mv "spire-${SPIRE_VERSION}" /opt/spire

创建系统用户

# 创建 spire 用户
sudo useradd -r -s /bin/false spire

# 设置目录权限
sudo mkdir -p /opt/spire/data
sudo chown -R spire:spire /opt/spire/data

配置 Systemd 服务

SPIRE Server 服务:

# /etc/systemd/system/spire-server.service
[Unit]
Description=SPIRE Server
After=network.target

[Service]
Type=simple
User=spire
Group=spire
ExecStart=/opt/spire/bin/spire-server run -config /opt/spire/conf/server/server.conf
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target

SPIRE Agent 服务:

# /etc/systemd/system/spire-agent.service
[Unit]
Description=SPIRE Agent
After=network.target spire-server.service

[Service]
Type=simple
User=root
ExecStart=/opt/spire/bin/spire-agent run -config /opt/spire/conf/agent/agent.conf
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target

启用服务:

sudo systemctl daemon-reload
sudo systemctl enable spire-server spire-agent
sudo systemctl start spire-server
sudo systemctl start spire-agent

Kubernetes 安装

使用 Helm

# 添加 SPIFFE Helm 仓库
helm repo add spiffe https://spiffe.github.io/helm-charts-hardened/
helm repo update

# 安装 SPIRE
helm install spire spiffe/spire \
  --namespace spire-system \
  --create-namespace \
  --set global.spire.trustDomain=example.org

使用 YAML 清单

# 应用 CRD
kubectl apply -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml

# 部署 SPIRE Server
kubectl apply -f spire-server.yaml

# 部署 SPIRE Agent
kubectl apply -f spire-agent.yaml

Docker 安装

Docker Compose 示例

version: '3'

services:
  spire-server:
    image: ghcr.io/spiffe/spire-server:latest
    hostname: spire-server
    volumes:
      - ./server.conf:/etc/spire/server.conf
      - spire-server-data:/opt/spire/data/server
    ports:
      - "8081:8081"
    command: ["-config", "/etc/spire/server.conf"]

  spire-agent:
    image: ghcr.io/spiffe/spire-agent:latest
    hostname: spire-agent
    depends_on:
      - spire-server
    volumes:
      - ./agent.conf:/etc/spire/agent.conf
      - /var/run/docker.sock:/var/run/docker.sock
      - spire-agent-socket:/tmp/spire-agent/public
    command: ["-config", "/etc/spire/agent.conf"]

volumes:
  spire-server-data:
  spire-agent-socket:

验证安装

检查 Server 状态

# 检查健康状态
/opt/spire/bin/spire-server healthcheck

# 查看日志
journalctl -u spire-server -f

检查 Agent 状态

# 检查健康状态
/opt/spire/bin/spire-agent healthcheck

# 查看日志
journalctl -u spire-agent -f

故障排除

常见问题

Server 启动失败:

# 检查配置语法
/opt/spire/bin/spire-server validate -config /opt/spire/conf/server/server.conf

Agent 无法连接 Server:

# 检查网络连接
nc -zv spire-server 8081

# 检查信任包
cat /opt/spire/conf/agent/bootstrap.crt

工作负载无法获取 SVID:

# 检查 Agent socket
ls -la /tmp/spire-agent/public/api.sock

# 检查注册条目
/opt/spire/bin/spire-server entry show

下一步

继续阅读 快速上手 开始配置 SPIRE。