andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/intel/tcs-issuer/0.4.0/README.md

3.3 KiB
Raw Blame History

Trusted Certificate Issuer Helm chart

Trusted Certificate Service (TCS) is a K8s service to protect signing keys using Intel's SGX technology. Kubernetes certificate signing request (CSR) and cert-manager CertificateRequest APIs are both supported.

This document covers how to install Trusted Certificate Service (TCS) issuer (TCI) by using Helm charts.

To learn more check the documentation here.

Prerequisites

  • Helm 3.x
  • Kubernetes cluster with SGX node
  • cert-manager Custom Resource Definitions (CRDs)

Installing the Chart

Use the following command to install TCI (to namespace intel-system which will be created).

The Intel's Helm charts repository:

$ helm repo add intel https://intel.github.io/helm-charts
$ helm repo update

Install the chart:

NOTE: This will also install the CRDs.

$ helm install tci intel/tcs-issuer -n intel-system --create-namespace

Use the following command to verify the installation status.

$ helm ls -n intel-system

Uninstalling the Chart

In case you want to uninstall TCI, use the following command:

NOTE: the below command does not uninstall the CRDs.

$ helm delete tci -n intel-system

Configuration

The following table lists the configurable parameters of the TCS issuer chart and their default values. You can change the default values either via helm --set <parameter=value> or editing the values.yaml and passing the file to helm via helm install -f values.yaml ... option.

Parameter Description Default
image.hub Image repository intel
image.name Image name trusted-certificate-issuer
image.tag Image tag Chart's appVersion
image.pullPolicy Image pull policy IfNotPresent
controllerExtraArgs List of extra arguments passed to the controller
imagePullSecrets Array of secrets pull an image from a private container image registry or repository
pkcs11.sopin Create service account V0lwbUJCybc2Oc6M06Vz
pkcs11.userpin Create service account U3BnbGIyTUl3ZV9lSHUy
serviceAccount.create Create service account true
serviceAccount.annotations Dictionary of service account annotations
serviceAccount.name Name of the service account Full name of the chart
podAnnotations Dictionary of pod annotations sgx.intel.com/quote-provider: aesmd
podSecurityContext Dictionary of pod security context settings
service.type Service type ClusterIP
service.port Service port 8443
resources.limits.cpu CPU limit 500m
resources.limits.memory Memory limit 100Mi
resources.limits.sgx.intel.com/enclave SGX enclave limit 1
resources.limits.sgx.intel.com/epc SGX epc memory limit 512Ki
resources.requests.cpu CPU request 100m
resources.requests.memory Memory request 20Mi
resources.requests.sgx.intel.com/enclave SGX enclave request 1
resources.requests.sgx.intel.com/epc SGX epc memory request 512Ki
nodeSelector Dictionary of node selector settings
tolerations Array of tolerations settings
affinity Dictionary of affinity settings