# 安装指南 ## 系统要求 ### 操作系统 | 系统 | 架构 | 支持状态 | |------|------|----------| | Linux | amd64, arm64 | 完全支持 | | macOS | amd64, arm64 | 完全支持 | | Windows | amd64 | 实验性支持 | ### 硬件要求 **SPIRE Server:** - CPU: 2+ 核心 - 内存: 2GB+ - 磁盘: 根据注册条目数量 **SPIRE Agent:** - CPU: 1+ 核心 - 内存: 512MB+ - 磁盘: 100MB+ ## Linux 安装 ### 使用预编译包 ```bash # 设置版本 SPIRE_VERSION="1.9.0" # 下载 curl -LO "https://github.com/spiffe/spire/releases/download/v${SPIRE_VERSION}/spire-${SPIRE_VERSION}-linux-amd64-musl.tar.gz" # 验证校验和 curl -LO "https://github.com/spiffe/spire/releases/download/v${SPIRE_VERSION}/spire-${SPIRE_VERSION}-linux-amd64-musl.tar.gz.sha256sum" sha256sum -c "spire-${SPIRE_VERSION}-linux-amd64-musl.tar.gz.sha256sum" # 解压 tar -xzf "spire-${SPIRE_VERSION}-linux-amd64-musl.tar.gz" # 安装到 /opt sudo mv "spire-${SPIRE_VERSION}" /opt/spire ``` ### 创建系统用户 ```bash # 创建 spire 用户 sudo useradd -r -s /bin/false spire # 设置目录权限 sudo mkdir -p /opt/spire/data sudo chown -R spire:spire /opt/spire/data ``` ### 配置 Systemd 服务 **SPIRE Server 服务:** ```ini # /etc/systemd/system/spire-server.service [Unit] Description=SPIRE Server After=network.target [Service] Type=simple User=spire Group=spire ExecStart=/opt/spire/bin/spire-server run -config /opt/spire/conf/server/server.conf Restart=on-failure RestartSec=10 [Install] WantedBy=multi-user.target ``` **SPIRE Agent 服务:** ```ini # /etc/systemd/system/spire-agent.service [Unit] Description=SPIRE Agent After=network.target spire-server.service [Service] Type=simple User=root ExecStart=/opt/spire/bin/spire-agent run -config /opt/spire/conf/agent/agent.conf Restart=on-failure RestartSec=10 [Install] WantedBy=multi-user.target ``` **启用服务:** ```bash sudo systemctl daemon-reload sudo systemctl enable spire-server spire-agent sudo systemctl start spire-server sudo systemctl start spire-agent ``` ## Kubernetes 安装 ### 使用 Helm ```bash # 添加 SPIFFE Helm 仓库 helm repo add spiffe https://spiffe.github.io/helm-charts-hardened/ helm repo update # 安装 SPIRE helm install spire spiffe/spire \ --namespace spire-system \ --create-namespace \ --set global.spire.trustDomain=example.org ``` ### 使用 YAML 清单 ```bash # 应用 CRD kubectl apply -f https://raw.githubusercontent.com/spiffe/spire/main/support/k8s/k8s-workload-registrar/mode-crd/config/spiffeid.spiffe.io_spiffeids.yaml # 部署 SPIRE Server kubectl apply -f spire-server.yaml # 部署 SPIRE Agent kubectl apply -f spire-agent.yaml ``` ## Docker 安装 ### Docker Compose 示例 ```yaml version: '3' services: spire-server: image: ghcr.io/spiffe/spire-server:latest hostname: spire-server volumes: - ./server.conf:/etc/spire/server.conf - spire-server-data:/opt/spire/data/server ports: - "8081:8081" command: ["-config", "/etc/spire/server.conf"] spire-agent: image: ghcr.io/spiffe/spire-agent:latest hostname: spire-agent depends_on: - spire-server volumes: - ./agent.conf:/etc/spire/agent.conf - /var/run/docker.sock:/var/run/docker.sock - spire-agent-socket:/tmp/spire-agent/public command: ["-config", "/etc/spire/agent.conf"] volumes: spire-server-data: spire-agent-socket: ``` ## 验证安装 ### 检查 Server 状态 ```bash # 检查健康状态 /opt/spire/bin/spire-server healthcheck # 查看日志 journalctl -u spire-server -f ``` ### 检查 Agent 状态 ```bash # 检查健康状态 /opt/spire/bin/spire-agent healthcheck # 查看日志 journalctl -u spire-agent -f ``` ## 故障排除 ### 常见问题 **Server 启动失败:** ```bash # 检查配置语法 /opt/spire/bin/spire-server validate -config /opt/spire/conf/server/server.conf ``` **Agent 无法连接 Server:** ```bash # 检查网络连接 nc -zv spire-server 8081 # 检查信任包 cat /opt/spire/conf/agent/bootstrap.crt ``` **工作负载无法获取 SVID:** ```bash # 检查 Agent socket ls -la /tmp/spire-agent/public/api.sock # 检查注册条目 /opt/spire/bin/spire-server entry show ``` ## 下一步 继续阅读 {doc}`/2.getting-started/quickstart` 开始配置 SPIRE。